Pages

Wednesday, 16 November 2016

Site to Site IPsec VPN

CCNP Route (300-101) Lab: Configuring Site to Site IPsec VPN



Scenario: Site to Site VPN connects 2 different offices network to each other securely (encrypted traffic). End users do not require a VPN client to connect. Traffic will be routed through the VPN gateways. Users in 10.1.1.0/24 network will be connected via Site to Site VPN to users in 172.16.1.0/24 network.

VPN Configuration Steps

1. ISAKMP Policy
- Specifies the initial VPN security details

2. IPsec Details
- Specifies how the IPsec packets will be encapsulated

3. Crypto ACL
- Specifies the traffic that will trigger the VPN to activate

4. VPN Tunnel Information
- Creates the crypto map that combies ISAKMP policy, IPsec transform set, VPN peer address, and crypto ACL

5. Apply the Crypto Map
- Identifies which interface is actively looking to create a VPN

Configuration:

R1
en
conf t
host R1
int s0/0/0
ip add 1.1.1.1 255.255.255.0
no shut
int fa0/0
ip add 10.1.1.1 255.255.255.0
no shut
exit
router eigrp 1
network 1.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
no auto-summary
exit

crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key cisco123 address 2.2.2.1
crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac
access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
crypto map HQ-MAP 10 ipsec-isakmp
set transform-set HQ-VPN
set peer 2.2.2.1
match address 110
exit 
int s0/0/0
crypto map HQ-MAP
exit

R2
en
conf t
host R2
int s0/0/0
ip add 1.1.1.2 255.255.255.0
no shut
int s0/0/1
ip add 2.2.2.2 255.255.255.0
no shut
exit
router eigrp 1
network 1.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
no auto-summary
exit

R3
en
conf t
host R3
int s0/0/1
ip add 2.2.2.1 255.255.255.0
no shut
int fa0/0
ip add 172.16.1.1 255.255.255.0
no shut
exit
router eigrp 1
network 2.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
exit

crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key cisco123 address 1.1.1.1
crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac
access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto map HQ-MAP 10 ipsec-isakmp
set transform-set HQ-VPN
set peer 1.1.1.1
match address 110
exit 
int s0/0/1
crypto map HQ-MAP
exit

Show Commands:
To check whether the tunnel was successfully established, you may use the following show commands:

show crypto isakmp sa
show crypto ipsec sa
show crypto session
show crypto map

Example:
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
2.2.2.1         1.1.1.1         QM_IDLE           1070    0 ACTIVE


IPv6 Crypto ISAKMP SA


R1#

Note: You must have basic knowledge of CCNA or equivalent as this is the prerequisite for CCNP. This lab is using Packet Tracer with C2811 router. Only C2811 and C1841 router images in Packet Tracer supports VPN commands.

No comments:

Post a Comment