Transcript of "Configure Site to Site VPNs in Cisco 2911's"
CIS 264Dan MorrillHighline Community College
A static IP address on the EXTERNAL interface of yourrouter Needs to be in the 192.168.203.X range for this class (allexamples will use this IP range) Cisco 2911 Access to the router as exec Patience Remember to check your work before you commit thechanges Remember Write MEM A backup of your router configuration before doing this Just in case bad things happen to good people
http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/ provides good stepby step in case you need it http://samcaldwell.net/index.php/technical-articles/3-how-to-articles/83-cisco-vpn-part-i providesgood background support for setting up a site to siteVPN in a Cisco router http://www.fredshack.com/docs/vpnios.htmlsomewhat convoluted but workable – use as a backupresource in case something goes wrong
Create an IKE (Internet Key Exchange) policy for yourrouter1. Router(config)#crypto isakmp policy 92. Router(config-isakmp)#hash md53. Router(config-isakmp)#authentication pre-share
Router(config)#crypto isakmp key VPNKEY address192.168.203.25 Where the VPNKEY is the shared key that you will usefor the VPN, and remember to set the same key on theother end VPNKEY = keyR7ToR5 to help with the namingconvention 192.168.203.25 the static public IP address of theother end
Router(config)#crypto ipsec security-associationlifetime seconds YYYYY where YYYYY is the associations lifetime in seconds. It isusually used as 86400, which is one day.
Router(config)#access-list AAA permit ipSSS.SSS.SSS.SSS WIL.DCA.RDM.ASKDDD.DDD.DDD.DDD WIL.DCA.RDM.ASK Access-list AAA permit ip 192.168.203.25 0.0.0.255192.168.203.26 0.0.0.255 Where 203.26 is the Active Directory server or othercomputer on the network that will pass data backand forth between racks in the VPN Where WIL.DCA.RDM.ASK = wild card mask of thenetwork, the reverse subnet for a flat “C” network
Define the transformations set that will be used for theVPN connection Router(config)#crypto ipsec transform-setSETNAME AAAA BBBB Where SETNAME is the name of the transformationsset. You can choose any name you like. Naming isimportant to keep track of the transforms BBBB and CCCCC is the transformation set. Irecommend the use of “esp-3des esp-md5-hmac”.
Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp Router(config-crypto-map)#set peer 192.168.203.25 Router(config-crypto-map)#set transform-set SETNAME Router(config-crypto-map)#match address AAA Where MAPNAME is a name of your choice to the crypto-map PRIORITY is the priority of this map over other maps to thesame destination. If this is your only crypto-map give it anynumber, for example 10. 192.168.203.25 the static public IP address of the other end SETNAME is the name of the transformations set that weconfigured in step 5 AAA is the number of the access-list that we created to definethe traffic in step 4
Router(config-if)#crypto map MAPNAME where MAPNAME is the name of the crypto-map thatwe defined in step 6. Now, repeat these steps on the other end, andremember to use the same key along with the sameauthentication and transform set.
Repeat steps 2, 4, 5, 6, 7 for each VPN you want to setup for each connection point R3, R4, R5, R6, R7 in all you will have 5 VPNconnections in your router configuration Remember to skip step 3 This is step 3, this is a global configuration that will workon all VPN’s connected to the router Router(config)#crypto ipsec security-associationlifetime seconds YYYYY
show crypto isakmp sa show crypto ipsec sa show crypto engine connections active and show crypto map All those should show what you entered Then write mem Then do a show run to see if everything took after writemem
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.