Configure Site to Site VPNs in Cisco 2911's

  • 3,195 views
Uploaded on

Quick presentation on the steps to build out a mesh site to site network using a cisco 2911

Quick presentation on the steps to build out a mesh site to site network using a cisco 2911

More in: Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
3,195
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
48
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/

Transcript

  • 1. CIS 264Dan MorrillHighline Community College
  • 2.  A static IP address on the EXTERNAL interface of yourrouter Needs to be in the 192.168.203.X range for this class (allexamples will use this IP range) Cisco 2911 Access to the router as exec Patience Remember to check your work before you commit thechanges Remember Write MEM A backup of your router configuration before doing this Just in case bad things happen to good people
  • 3.  http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/ provides good stepby step in case you need it http://samcaldwell.net/index.php/technical-articles/3-how-to-articles/83-cisco-vpn-part-i providesgood background support for setting up a site to siteVPN in a Cisco router http://www.fredshack.com/docs/vpnios.htmlsomewhat convoluted but workable – use as a backupresource in case something goes wrong
  • 4.  Create an IKE (Internet Key Exchange) policy for yourrouter1. Router(config)#crypto isakmp policy 92. Router(config-isakmp)#hash md53. Router(config-isakmp)#authentication pre-share
  • 5.  Router(config)#crypto isakmp key VPNKEY address192.168.203.25 Where the VPNKEY is the shared key that you will usefor the VPN, and remember to set the same key on theother end VPNKEY = keyR7ToR5 to help with the namingconvention 192.168.203.25 the static public IP address of theother end
  • 6.  Router(config)#crypto ipsec security-associationlifetime seconds YYYYY where YYYYY is the associations lifetime in seconds. It isusually used as 86400, which is one day.
  • 7.  Router(config)#access-list AAA permit ipSSS.SSS.SSS.SSS WIL.DCA.RDM.ASKDDD.DDD.DDD.DDD WIL.DCA.RDM.ASK Access-list AAA permit ip 192.168.203.25 0.0.0.255192.168.203.26 0.0.0.255 Where 203.26 is the Active Directory server or othercomputer on the network that will pass data backand forth between racks in the VPN Where WIL.DCA.RDM.ASK = wild card mask of thenetwork, the reverse subnet for a flat “C” network
  • 8.  Define the transformations set that will be used for theVPN connection Router(config)#crypto ipsec transform-setSETNAME AAAA BBBB Where SETNAME is the name of the transformationsset. You can choose any name you like. Naming isimportant to keep track of the transforms BBBB and CCCCC is the transformation set. Irecommend the use of “esp-3des esp-md5-hmac”.
  • 9.  Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp Router(config-crypto-map)#set peer 192.168.203.25 Router(config-crypto-map)#set transform-set SETNAME Router(config-crypto-map)#match address AAA Where MAPNAME is a name of your choice to the crypto-map PRIORITY is the priority of this map over other maps to thesame destination. If this is your only crypto-map give it anynumber, for example 10. 192.168.203.25 the static public IP address of the other end SETNAME is the name of the transformations set that weconfigured in step 5 AAA is the number of the access-list that we created to definethe traffic in step 4
  • 10.  Router(config-if)#crypto map MAPNAME where MAPNAME is the name of the crypto-map thatwe defined in step 6. Now, repeat these steps on the other end, andremember to use the same key along with the sameauthentication and transform set.
  • 11.  Repeat steps 2, 4, 5, 6, 7 for each VPN you want to setup for each connection point R3, R4, R5, R6, R7 in all you will have 5 VPNconnections in your router configuration Remember to skip step 3 This is step 3, this is a global configuration that will workon all VPN’s connected to the router Router(config)#crypto ipsec security-associationlifetime seconds YYYYY
  • 12.  show crypto isakmp sa show crypto ipsec sa show crypto engine connections active and show crypto map All those should show what you entered Then write mem Then do a show run to see if everything took after writemem