How to Configure Site to Site IPSEC VPN on CISCO Routers

In this article i am going to Configure Site to Site IPSEC VPN on CISCO Routers, IPSec VPN Tunnel used to Make Secure Communication two different branches or network over Internet. IPSEC VPN tunnel can be configure between two Gateway. As we know that data transmission over the Internet is not secure so that need to setup IPSec VPN.  Its Provide Confidentiality, Integrity, Authenticity and Anti-replay. There is some algorithm for provide Encryption , Integrity and Authenticity. So i am going to configure those algorithm on both CISCO Router.  

Configure Site to Site IPSEC VPN on CISCO Routers

Read Also

There is Five Steps to Configure IPSec VPN on Cisco Router

  1. Configure ISAKMP Policy (Phase -1) – Configure 5 parameters both side should be same phase 1 parameters.

Encryption Method             – 3DES
Hashing Algorithm             – MD5
DH Group                               – Group 2
Authentication Method    – Pre-shared Key
Lifetime                                   – 86400

2. Transform Set (Phase -2 )

 Its used to configure IPSec Phase 2 Parameters such as Encryption method, Hashing Algorithm, etc.

3. Extended ACL

Used to define which traffic will be sent through the VPN tunnel.

4. Crypto MAP –

Used to Setup ISAKMP and IPSec together.

5. Apply Crypto MAP on the exit interface.

Configure Site to Site IPSEC VPN on CISCO Routers

 

Configure Site A Router

  1. First of all to configure ISAKMP policy.

Site-A(config)#crypto isakmp policy 2
Site-A(config-isakmp)#encryption 3des
Site-A(config-isakmp)#hash md5
Site-A(config-isakmp)#group 2
Site-A(config-isakmp)#authentication pre-share
Site-A(config-isakmp)#lifetime 86400
Site-A(config-isakmp)#exit

Define Pre-Shared Key for Authentication with Peer Router (10.1.1.2).

Site-A(config)#crypto isakmp key cisco123 address 10.1.1.2

IPSec Phase 2 

2. Create IPSec Transform Set – Need to define Encryption method and Hashing Algorithm. Its Used to Secure Data in Transit. 

Site-A(config)#crypto ipsec transform-set MAAHI esp-3des esp-md5-hmac 

Where “MAAHI” name of the transform set.

3. Create Extended ACL – Need to Define Which traffic will be pass through IPSec VPN.

Site-A(config)#ip access-list extended Site-B-Site-A
Site-A(config-ext-nacl)#permit ip 150.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255

4. Crypto MAP – Crypto MAP used to MAP ISAKMP Policy and IPSec policy together.

Site-A(config)#crypto map ROCK 10 ipsec-isakmp
Site-A(config-crypto-map)#set peer 10.1.1.2
Site-A(config-crypto-map)#set transform-set MAAHI
Site-A(config-crypto-map)#match address Site-A-Site-B

5. Now Apply Crypto MAP on the Router Outside Interface. 

Site-A(config)#interface s6/0
Site-A(config-if)#crypto map ROCK

*Aug 21 17:45:30.459: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Now Sita A Router Configuration has been done.  Now on the Site B Router Same parameter should be used.

Configure Site B Router 

We have to same configuration as Site A Router except Peer Address and ACL. We should have to know that What parameters used in Site A Router.

 

Site-B(config)#crypto isakmp policy 2
Site-B(config-isakmp)#encryption 3des
Site-B(config-isakmp)#hash md5
Site-B(config-isakmp)#group 2
Site-B(config-isakmp)#authentication pre-share
Site-B(config-isakmp)#lifetime 86400
Site-B(config-isakmp)#exit

Define Pre-Shared Key for Authentication with Peer Router (10.1.1.1).

Site-B(config)#crypto isakmp key cisco123 address 10.1.1.1

Phase -2 (IPSec)

Site-B(config)#crypto ipsec transform-set MAAHI esp-3des esp-md5-hmac 

Site-B(config)#ip access-list extended Site-A-Site-B
Site-B(config-ext-nacl)#permit ip 160.1.1.0 0.0.0.255 150.1.1.0 0.0.0.255

4. Crypto MAP – Crypto MAP used to MAP ISAKMP Policy and IPSec policy together.

Site-B(config)#crypto map ROCK 10 ipsec-isakmp
Site-B(config-crypto-map)#set peer 10.1.1.1
Site-B(config-crypto-map)#set transform-set MAAHI
Site-B(config-crypto-map)#match address Site-B-Site-A

5. Now Apply Crypto MAP on the Router Outside Interface. 

Site-B(config)#interface s6/1
Site-B(config-if)#crypto map ROCK

*Aug 21 17:45:30.459: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Now on the Both Site Routers IPSec VPN has been configured , Now you have to generate interesting traffic and see packet should be encrypted.

Testing & Verification

Now Ping from source IP 150.1.1.1 and Destination IP 160.1.1.1. Now Ping is Successfully.

Configure Site to Site IPSEC VPN on CISCO Routers

Check Phase -1 Tunnel – ISAKMP SA

Command – Show Crypto isakmp sa

Check Phase -2 ( IPSec Tunnel SA)

Command – Show crypto ipsec sa

Check IPsec VPN Tunnel Session – Current status of the VPN Tunnel

Command – show crypto session

Configure Site to Site IPSEC VPN on CISCO Routers

Watch Tutorial Video Also

Related Post

Share This onShare on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on StumbleUponShare on Google+Pin on PinterestBuffer this pageShare on Tumblr
Rakesh Kumar
at
Rakesh Kumar is a Network engineer and a Blogger. He is crazy for learn and write about Technology , Tech and Computer Tips and Tricks Blog.