Configure Site to Site VPNs in Cisco 2911's


Published on

Quick presentation on the steps to build out a mesh site to site network using a cisco 2911

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Configure Site to Site VPNs in Cisco 2911's

    1. 1. CIS 264Dan MorrillHighline Community College
    2. 2.  A static IP address on the EXTERNAL interface of yourrouter Needs to be in the 192.168.203.X range for this class (allexamples will use this IP range) Cisco 2911 Access to the router as exec Patience Remember to check your work before you commit thechanges Remember Write MEM A backup of your router configuration before doing this Just in case bad things happen to good people
    3. 3.  provides good stepby step in case you need it providesgood background support for setting up a site to siteVPN in a Cisco router convoluted but workable – use as a backupresource in case something goes wrong
    4. 4.  Create an IKE (Internet Key Exchange) policy for yourrouter1. Router(config)#crypto isakmp policy 92. Router(config-isakmp)#hash md53. Router(config-isakmp)#authentication pre-share
    5. 5.  Router(config)#crypto isakmp key VPNKEY address192.168.203.25 Where the VPNKEY is the shared key that you will usefor the VPN, and remember to set the same key on theother end VPNKEY = keyR7ToR5 to help with the namingconvention the static public IP address of theother end
    6. 6.  Router(config)#crypto ipsec security-associationlifetime seconds YYYYY where YYYYY is the associations lifetime in seconds. It isusually used as 86400, which is one day.
    7. 7.  Router(config)#access-list AAA permit ipSSS.SSS.SSS.SSS WIL.DCA.RDM.ASKDDD.DDD.DDD.DDD WIL.DCA.RDM.ASK Access-list AAA permit ip Where 203.26 is the Active Directory server or othercomputer on the network that will pass data backand forth between racks in the VPN Where WIL.DCA.RDM.ASK = wild card mask of thenetwork, the reverse subnet for a flat “C” network
    8. 8.  Define the transformations set that will be used for theVPN connection Router(config)#crypto ipsec transform-setSETNAME AAAA BBBB Where SETNAME is the name of the transformationsset. You can choose any name you like. Naming isimportant to keep track of the transforms BBBB and CCCCC is the transformation set. Irecommend the use of “esp-3des esp-md5-hmac”.
    9. 9.  Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp Router(config-crypto-map)#set peer Router(config-crypto-map)#set transform-set SETNAME Router(config-crypto-map)#match address AAA Where MAPNAME is a name of your choice to the crypto-map PRIORITY is the priority of this map over other maps to thesame destination. If this is your only crypto-map give it anynumber, for example 10. the static public IP address of the other end SETNAME is the name of the transformations set that weconfigured in step 5 AAA is the number of the access-list that we created to definethe traffic in step 4
    10. 10.  Router(config-if)#crypto map MAPNAME where MAPNAME is the name of the crypto-map thatwe defined in step 6. Now, repeat these steps on the other end, andremember to use the same key along with the sameauthentication and transform set.
    11. 11.  Repeat steps 2, 4, 5, 6, 7 for each VPN you want to setup for each connection point R3, R4, R5, R6, R7 in all you will have 5 VPNconnections in your router configuration Remember to skip step 3 This is step 3, this is a global configuration that will workon all VPN’s connected to the router Router(config)#crypto ipsec security-associationlifetime seconds YYYYY
    12. 12.  show crypto isakmp sa show crypto ipsec sa show crypto engine connections active and show crypto map All those should show what you entered Then write mem Then do a show run to see if everything took after writemem