SlideShare a Scribd company logo

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS

NetProtocol Xpert
NetProtocol Xpert

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS

Engineering
1 of 18
www.netprotocolxpert.in
 Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video between two sites (e.g offices or branches). The VPN tunnel is created over the Internet public network and encrypted using a number of advanced encryption algorithms to provide confidentiality of the data transmitted between the two sites.  ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to build an IPsec security association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.
 Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay services. IPSECVPN REQUIREMENTS  To help make this an easy-to-follow exercise, we have split it into two steps that are required to get the Site-to-Site IPSecVPNTunnel to work. These steps are:  (1) Configure ISAKMP (ISAKMP Phase 1)  (2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
 Our example setup is between two branches of a small company, these are Site 1 and Site 2. Both the branch routers connect to the Internet and have a static IPAddress assigned by their ISP as shown on the diagram:  Site 1 is configured with an internal network of 10.10.10.0/24, while Site 2 is configured with network 20.20.20.0/24. The goal is to securely connect both LAN networks and allow full communication between them, without any restrictions.
 IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA) relationship with the peer.  To begin, we’ll start working on the Site 1 router (R1).  First step is to configure an ISAKMP Phase 1 policy: R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400
 The Previous slide define the following (in listed order): 3DES -The encryption method to be used for Phase 1. MD5 -The hashing algorithm Pre-share - Use Pre-shared key as the authentication method Group 2 - Diffie-Hellman group to be used 86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default value.  We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.
 Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the following command:  R1(config)# crypto isakmp key NPX address 1.1.1.2  The peer’s pre shared key is set to NPX and its public IP Address is 1.1.1.2. Every time R1 tries to establish a VPN tunnel with R2 (1.1.1.2), this pre shared key will be used.
 To configure IPSec we need to setup the following in order:  Create extended ACL  Create IPSecTransform  Create Crypto Map  Apply crypto map to the public interface
CREATING EXTENDEDACL  Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel. In this example, it would be traffic from one network to the other, 10.10.10.0/24 to 20.20.20.0/24. Access-lists that define VPN traffic are sometimes called crypto access-list or interesting traffic access-list. R1(config)# ip access-list extendedVPN-TRAFFIC R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
CREATE IPSECTRANSFORM (ISAKMP PHASE 2 POLICY)  Next step is to create the transform set used to protect our data.We’ve named this TS: R1(config)# crypto ipsec transform-set TS esp-3des esp- md5-hmac The above command defines the following:  ESP-3DES - Encryption method  MD5 - Hashing algorithm
CREATE CRYPTO MAP  The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together: R1(config)# crypto map CMAP 10 ipsec-isakmp R1(config-crypto-map)# set peer 1.1.1.2 R1(config-crypto-map)# set transform-set TS R1(config-crypto-map)# match addressVPN-TRAFFIC  We’ve named our crypto map CMAP. The ipsec- isakmp tag tells the router that this crypto map is an IPsec crypto map. Although there is only one peer declared in this crypto map (1.1.1.2), it is possible to have multiple peers within a given crypto map.
APPLY CRYPTO MAPTOTHE PUBLIC INTERFACE  The final step is to apply the crypto map to the outgoing interface of the router. Here, the outgoing interface is FastEthernet 0/1. R1(config)# interface FastEthernet0/1 R1(config- if)# crypto map CMAP  Note that you can assign only one crypto map to an interface.  As soon as we apply crypto map on the interface, we receive a message from the router that confirms isakmp is on: “ISAKMP is ON”.
 We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being the peer IP Addresses and access lists: R2(config)# crypto isakmp policy 1 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400
R2(config)# crypto isakmp key NPX address 1.1.1.1 R2(config)# ip access-list extended VPN-TRAFFIC R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# crypto ipsec transform-set TS esp-3des esp- md5-hmac R2(config)# crypto map CMAP 10 ipsec-isakmp R2(config-crypto-map)# set peer 1.1.1.1 R2(config-crypto-map)# set transform-set TS R2(config-crypto-map)# match address VPN-TRAFFIC R2(config)# interface FastEthernet0/1 R2(config- if)# crypto map CMAP
NETWORK ADDRESS TRANSLATION (NAT) AND IPSEC VPNTUNNELS  Network Address Translation (NAT) is most likely to be configured to provide Internet access to internal hosts. When configuring a Site-to-Site VPN tunnel, it is imperative to instruct the router not to perform NAT (deny NAT) on packets destined to the remote VPN network(s).  This is easily done by inserting a deny statement at the beginning of the NAT access list
Router1: R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
Router2: R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload R2(config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# access-list 100 permit ip 20.20.20.0 0.0.0.255 any
BRINGING UP ANDVERIFYINGTHEVPNTUNNEL  At this point, we’ve completed our configuration and theVPNTunnel is ready to be brought up. To initiate the VPNTunnel, we need to force one packet to traverse the VPN and this can be achieved by pinging from one router to another  Ping- R1# ping 20.20.20.1 source fastethernet0/0  To verify theVPNTunnel- R1# show crypto session

Recommended

Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
CCNA R&S-13-Spanning Tree Protocol Implementation
CCNA R&S-13-Spanning Tree Protocol ImplementationCCNA R&S-13-Spanning Tree Protocol Implementation
CCNA R&S-13-Spanning Tree Protocol ImplementationAmir Jafari
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5Nil Menon
 
Configuring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallConfiguring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallHarris Andrea
 
IP Routing Tutorial
IP Routing TutorialIP Routing Tutorial
IP Routing TutorialShortestPathFirst
 
CCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationCCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationDsunte Wilson
 
Dynamic Routing IGRP
Dynamic Routing IGRPDynamic Routing IGRP
Dynamic Routing IGRPKishore Kumar
 
IPv6
IPv6IPv6
IPv6Suman Bose
 

Recommended

Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
CCNA R&S-13-Spanning Tree Protocol Implementation
CCNA R&S-13-Spanning Tree Protocol ImplementationCCNA R&S-13-Spanning Tree Protocol Implementation
CCNA R&S-13-Spanning Tree Protocol ImplementationAmir Jafari
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5Nil Menon
 
Configuring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallConfiguring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallHarris Andrea
 
IP Routing Tutorial
IP Routing TutorialIP Routing Tutorial
IP Routing TutorialShortestPathFirst
 
CCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationCCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationDsunte Wilson
 
Dynamic Routing IGRP
Dynamic Routing IGRPDynamic Routing IGRP
Dynamic Routing IGRPKishore Kumar
 
IPv6
IPv6IPv6
IPv6Suman Bose
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
Static Routing
Static RoutingStatic Routing
Static RoutingKishore Kumar
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentationstolentears
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.pptEdgardo Scrimaglia
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
CCNA v6.0 ITN - Chapter 07
CCNA v6.0 ITN - Chapter 07CCNA v6.0 ITN - Chapter 07
CCNA v6.0 ITN - Chapter 07Irsandi Hasan
 
Vpn(virtual private network)
Vpn(virtual private network)Vpn(virtual private network)
Vpn(virtual private network)sonangrai
 
VPN
VPNVPN
VPNShiraz316
 
Switch configuration
Switch configurationSwitch configuration
Switch configurationMuuluu
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)Netwax Lab
 
Mininet Basics
Mininet BasicsMininet Basics
Mininet BasicsEueung Mulyana
 
Cisco switch commands cheat sheet
Cisco switch commands cheat sheetCisco switch commands cheat sheet
Cisco switch commands cheat sheet3Anetwork com
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocolsKailash Kumar
 
Chapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingChapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingteknetir
 
Cisco Router Basic Configuration
Cisco Router Basic ConfigurationCisco Router Basic Configuration
Cisco Router Basic ConfigurationProf. Erwin Globio
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guideMDEMARCOCCIE
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseHarris Andrea
 
Border Gateway Protocol
Border Gateway ProtocolBorder Gateway Protocol
Border Gateway ProtocolKashif Latif
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 

More Related Content

What's hot

Vpn presentation
Vpn presentationVpn presentation
Vpn presentationstolentears
 
CCNA v6.0 ITN - Chapter 07
CCNA v6.0 ITN - Chapter 07CCNA v6.0 ITN - Chapter 07
CCNA v6.0 ITN - Chapter 07Irsandi Hasan
 
Vpn(virtual private network)
Vpn(virtual private network)Vpn(virtual private network)
Vpn(virtual private network)sonangrai
 
Switch configuration
Switch configurationSwitch configuration
Switch configurationMuuluu
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)Netwax Lab
 
Cisco switch commands cheat sheet
Cisco switch commands cheat sheetCisco switch commands cheat sheet
Cisco switch commands cheat sheet3Anetwork com
 
Chapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingChapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingteknetir
 
Cisco Router Basic Configuration
Cisco Router Basic ConfigurationCisco Router Basic Configuration
Cisco Router Basic ConfigurationProf. Erwin Globio
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guideMDEMARCOCCIE
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseHarris Andrea
 
Border Gateway Protocol
Border Gateway ProtocolBorder Gateway Protocol
Border Gateway ProtocolKashif Latif
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 

What's hot (20)

DMVPN
DMVPNDMVPN
DMVPN
 
Static Routing
Static RoutingStatic Routing
Static Routing
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
 
Firewall
FirewallFirewall
Firewall
 
CCNA v6.0 ITN - Chapter 07
CCNA v6.0 ITN - Chapter 07CCNA v6.0 ITN - Chapter 07
CCNA v6.0 ITN - Chapter 07
 
Vpn(virtual private network)
Vpn(virtual private network)Vpn(virtual private network)
Vpn(virtual private network)
 
VPN
VPNVPN
VPN
 
Switch configuration
Switch configurationSwitch configuration
Switch configuration
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)
 
Mininet Basics
Mininet BasicsMininet Basics
Mininet Basics
 
Cisco switch commands cheat sheet
Cisco switch commands cheat sheetCisco switch commands cheat sheet
Cisco switch commands cheat sheet
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
 
Chapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingChapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routing
 
Cisco Router Basic Configuration
Cisco Router Basic ConfigurationCisco Router Basic Configuration
Cisco Router Basic Configuration
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guide
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
 
Border Gateway Protocol
Border Gateway ProtocolBorder Gateway Protocol
Border Gateway Protocol
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
 

Viewers also liked

IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASACisco Russia
 
Site to Site VPN Using TMG Firewall. University Final Presentation.
Site to Site VPN Using TMG Firewall. University Final Presentation.Site to Site VPN Using TMG Firewall. University Final Presentation.
Site to Site VPN Using TMG Firewall. University Final Presentation.Muhammad Farooq Hussain
 
Ubuntu SSL VPN
Ubuntu SSL VPNUbuntu SSL VPN
Ubuntu SSL VPNsharetech
 
Site to Site VPN CISCO ASA
Site to Site VPN CISCO ASASite to Site VPN CISCO ASA
Site to Site VPN CISCO ASARahul E
 
Network Service in OpenStack Cloud, by Yaohui Jin
Network Service in OpenStack Cloud, by Yaohui JinNetwork Service in OpenStack Cloud, by Yaohui Jin
Network Service in OpenStack Cloud, by Yaohui JinHui Cheng
 
Cyberoam SSL VPN
Cyberoam SSL VPNCyberoam SSL VPN
Cyberoam SSL VPNAjay Nawani
 
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718guest75224e4
 
my presentation on vpn
my presentation on vpnmy presentation on vpn
my presentation on vpnjadeja dhanraj
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsMustafa Khaleel
 
Troubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNsTroubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNsThousandEyes
 
SSL VPN from your android phone
SSL VPN from your android phoneSSL VPN from your android phone
SSL VPN from your android phonesharetech
 
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiIp sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiHuy Eav
 
Fortigate Hand Book
Fortigate Hand BookFortigate Hand Book
Fortigate Hand BookYusuf Usmani
 

Viewers also liked (20)

IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
 
Site to Site VPN Using TMG Firewall. University Final Presentation.
Site to Site VPN Using TMG Firewall. University Final Presentation.Site to Site VPN Using TMG Firewall. University Final Presentation.
Site to Site VPN Using TMG Firewall. University Final Presentation.
 
Ubuntu SSL VPN
Ubuntu SSL VPNUbuntu SSL VPN
Ubuntu SSL VPN
 
Vpn 3
Vpn 3Vpn 3
Vpn 3
 
Site to Site VPN CISCO ASA
Site to Site VPN CISCO ASASite to Site VPN CISCO ASA
Site to Site VPN CISCO ASA
 
Network Service in OpenStack Cloud, by Yaohui Jin
Network Service in OpenStack Cloud, by Yaohui JinNetwork Service in OpenStack Cloud, by Yaohui Jin
Network Service in OpenStack Cloud, by Yaohui Jin
 
Cyberoam SSL VPN
Cyberoam SSL VPNCyberoam SSL VPN
Cyberoam SSL VPN
 
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
 
my presentation on vpn
my presentation on vpnmy presentation on vpn
my presentation on vpn
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnels
 
Troubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNsTroubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNs
 
VSS_Final
VSS_FinalVSS_Final
VSS_Final
 
Spring Ldap
Spring LdapSpring Ldap
Spring Ldap
 
SSL VPN from your android phone
SSL VPN from your android phoneSSL VPN from your android phone
SSL VPN from your android phone
 
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiIp sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
 
Fortigate Hand Book
Fortigate Hand BookFortigate Hand Book
Fortigate Hand Book
 

Similar to SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS

I psec tunnel vs transport mode
I psec tunnel vs transport modeI psec tunnel vs transport mode
I psec tunnel vs transport modeIT Tech
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersConfiguring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersphosika sithisane
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationdborsan
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Netwax Lab
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Báo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng tháiBáo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng tháitran thai
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands OverviewMuhammed Niyas
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01slavenvvv
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationHamed Moghaddam
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).pptDeep Rajan
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterNetProtocol Xpert
 

Similar to SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS (20)

I psec tunnel vs transport mode
I psec tunnel vs transport modeI psec tunnel vs transport mode
I psec tunnel vs transport mode
 
Lan to lan vpn
Lan to lan vpnLan to lan vpn
Lan to lan vpn
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersConfiguring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Báo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng tháiBáo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng thái
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands Overview
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA Configuration
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).ppt
 
Day 11 eigrp
Day 11 eigrpDay 11 eigrp
Day 11 eigrp
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS Router
 

More from NetProtocol Xpert

Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data planeNetProtocol Xpert
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPNetProtocol Xpert
 
Avoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandAvoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandNetProtocol Xpert
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesNetProtocol Xpert
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)NetProtocol Xpert
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)NetProtocol Xpert
 

More from NetProtocol Xpert (20)

Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
 
Application & Data Center
Application & Data CenterApplication & Data Center
Application & Data Center
 
Cisco ISR 4351 Router
Cisco ISR 4351 RouterCisco ISR 4351 Router
Cisco ISR 4351 Router
 
Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X Router
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAP
 
Avoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandAvoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a command
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and Switches
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
 
Cisco OTV 
Cisco OTV Cisco OTV 
Cisco OTV 
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)
 

Recently uploaded

Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Christo Ananth
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01KreezheaRecto
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 

Recently uploaded (20)

Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS

  • 2.  Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video between two sites (e.g offices or branches). The VPN tunnel is created over the Internet public network and encrypted using a number of advanced encryption algorithms to provide confidentiality of the data transmitted between the two sites.  ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to build an IPsec security association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.
  • 3.  Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay services. IPSECVPN REQUIREMENTS  To help make this an easy-to-follow exercise, we have split it into two steps that are required to get the Site-to-Site IPSecVPNTunnel to work. These steps are:  (1) Configure ISAKMP (ISAKMP Phase 1)  (2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
  • 4.  Our example setup is between two branches of a small company, these are Site 1 and Site 2. Both the branch routers connect to the Internet and have a static IPAddress assigned by their ISP as shown on the diagram:  Site 1 is configured with an internal network of 10.10.10.0/24, while Site 2 is configured with network 20.20.20.0/24. The goal is to securely connect both LAN networks and allow full communication between them, without any restrictions.
  • 5.  IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA) relationship with the peer.  To begin, we’ll start working on the Site 1 router (R1).  First step is to configure an ISAKMP Phase 1 policy: R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400
  • 6.  The Previous slide define the following (in listed order): 3DES -The encryption method to be used for Phase 1. MD5 -The hashing algorithm Pre-share - Use Pre-shared key as the authentication method Group 2 - Diffie-Hellman group to be used 86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default value.  We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.
  • 7.  Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the following command:  R1(config)# crypto isakmp key NPX address 1.1.1.2  The peer’s pre shared key is set to NPX and its public IP Address is 1.1.1.2. Every time R1 tries to establish a VPN tunnel with R2 (1.1.1.2), this pre shared key will be used.
  • 8.  To configure IPSec we need to setup the following in order:  Create extended ACL  Create IPSecTransform  Create Crypto Map  Apply crypto map to the public interface
  • 9. CREATING EXTENDEDACL  Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel. In this example, it would be traffic from one network to the other, 10.10.10.0/24 to 20.20.20.0/24. Access-lists that define VPN traffic are sometimes called crypto access-list or interesting traffic access-list. R1(config)# ip access-list extendedVPN-TRAFFIC R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
  • 10. CREATE IPSECTRANSFORM (ISAKMP PHASE 2 POLICY)  Next step is to create the transform set used to protect our data.We’ve named this TS: R1(config)# crypto ipsec transform-set TS esp-3des esp- md5-hmac The above command defines the following:  ESP-3DES - Encryption method  MD5 - Hashing algorithm
  • 11. CREATE CRYPTO MAP  The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together: R1(config)# crypto map CMAP 10 ipsec-isakmp R1(config-crypto-map)# set peer 1.1.1.2 R1(config-crypto-map)# set transform-set TS R1(config-crypto-map)# match addressVPN-TRAFFIC  We’ve named our crypto map CMAP. The ipsec- isakmp tag tells the router that this crypto map is an IPsec crypto map. Although there is only one peer declared in this crypto map (1.1.1.2), it is possible to have multiple peers within a given crypto map.
  • 12. APPLY CRYPTO MAPTOTHE PUBLIC INTERFACE  The final step is to apply the crypto map to the outgoing interface of the router. Here, the outgoing interface is FastEthernet 0/1. R1(config)# interface FastEthernet0/1 R1(config- if)# crypto map CMAP  Note that you can assign only one crypto map to an interface.  As soon as we apply crypto map on the interface, we receive a message from the router that confirms isakmp is on: “ISAKMP is ON”.
  • 13.  We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being the peer IP Addresses and access lists: R2(config)# crypto isakmp policy 1 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400
  • 14. R2(config)# crypto isakmp key NPX address 1.1.1.1 R2(config)# ip access-list extended VPN-TRAFFIC R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# crypto ipsec transform-set TS esp-3des esp- md5-hmac R2(config)# crypto map CMAP 10 ipsec-isakmp R2(config-crypto-map)# set peer 1.1.1.1 R2(config-crypto-map)# set transform-set TS R2(config-crypto-map)# match address VPN-TRAFFIC R2(config)# interface FastEthernet0/1 R2(config- if)# crypto map CMAP
  • 15. NETWORK ADDRESS TRANSLATION (NAT) AND IPSEC VPNTUNNELS  Network Address Translation (NAT) is most likely to be configured to provide Internet access to internal hosts. When configuring a Site-to-Site VPN tunnel, it is imperative to instruct the router not to perform NAT (deny NAT) on packets destined to the remote VPN network(s).  This is easily done by inserting a deny statement at the beginning of the NAT access list
  • 16. Router1: R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
  • 17. Router2: R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload R2(config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# access-list 100 permit ip 20.20.20.0 0.0.0.255 any
  • 18. BRINGING UP ANDVERIFYINGTHEVPNTUNNEL  At this point, we’ve completed our configuration and theVPNTunnel is ready to be brought up. To initiate the VPNTunnel, we need to force one packet to traverse the VPN and this can be achieved by pinging from one router to another  Ping- R1# ping 20.20.20.1 source fastethernet0/0  To verify theVPNTunnel- R1# show crypto session