Virtual Private Network (VPN) is a network which uses a shared network infrastructure (Internet) which allows a secure access between two networks or securely connects a remote user to his corporate network.
Let's check out here how to configure a Site to Site VPN using a Pre-shared Key in Cisco Routers running Cisco IOS
Let's use a HQ-Branch office network setup with the following:
Authentication Method: Pre-Shared Key
Encryption Algorithm: 3DES
Hash Algorithm: SHA
HQ Router External IP : 172.10.10.100
(Peer IP for Branch Network)
HQ Internal Network: 172.11.1.0/24
Branch Router External IP : 10.1.1.100
(Peer IP for HQ Network)
Branch Internal Network: 10.11.2.0/24
Configuring IKE Policies
Create an IKE Policy
From the global configuration mode, create a new IKE Policy.
VPN-HQ(config)# crypto isakmp policy 1
Set the Keep-Alive & Retry intervals
The default Keep-Alive time os 10 seconds and retry when the keep-alive fails is 2 seconds. If you prefer changing this value then do the following else can be ignored
VPN-HQ(config-isakmp)# crypto isakmp keepalive 15 retry 3
Specify the Encryption Algorithm
I'm using 3DES encryption method here
VPN-HQ(config-isakmp)# encryption 3des
Specify the HASH Algorithm
I'm using sha hashing algorithm here
VPN-HQ(config-isakmp)# hash sha
Set the Authentication Method
We are using Pre-shared key here for Authentication
VPN-HQ(config-isakmp)# authentication pre-share
Set the Diffe-Hellman Group Identifier
We are using DH Group-2 (1024)
VPN-HQ(config-isakmp)# group 2
Specify SA's lifetime (seconds)
Set the lifetime of the Security Associations in seconds. I'll set it for 24hrs (86400 seconds) here
VPN-HQ(config-isakmp)# lifetime 86400
Set Pre-shared Key
The Authentication method we use here is the Pre-Shared key. We should now set this previously agreed shared key (don't exchange on emails. Use your phone,letters or faxes) from the global configuration mode.I'll use a simple pre-shared key "0urVpN" but use more complex key when configuring a production system.
VPN-HQ(config)# crypto isakmp key 0urVpN address 10.1.1.100
where 10.1.1.100 is the Peer routers IP Address and "0urVpN" is the pre-shared key.
Define Transformation Set
We set the transformation of ESP-3DES transform and ESP-SHA-HMAC transform to Transformation set 3DES-SHA-HMAC
VPN-HQ(config)# crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
VPN-HQ(cfg-crypto-trans)# exit
Setup a Crypto ACL
This ACL defines the protected traffic that passes through the VPN tunnel. Customize the ACL as per your organisation needs.
VPN-HQ(config)# ip access-list 101 permit ip 172.11.1.0 0.0.0.0 10.11.2.0 0.0.0.0
Create an IPSec Map
Create an IPSec Crypto Map and assign it a Sequence number
VPN-HQ(config)# crypto map HQ-BR1-MAP 2 ipsec-isakmp
where 2 is the sequence number and HQ-BR1-MAP is the nameof the map.
Set the Network traffic to be protected
Here use the extended ACl created earlier to define the traffic that is protected and passed through the tunnel.
VPN-HQ(config-crypto-map)# match address 101
where 101 is the Extended ACL
Set the Peer Address
VPN-HQ(config-crypto-map)# set peer 10.1.1.100
Set Transform Set
VPN-HQ(config-crypto-map)# set 3DES-SHA-HMAC
Set Perfect Forwarding Secret
VPN-HQ(config-crypto-map)# set pfs group 2
Apply Crypto Map to the external Interface
VPN-HQ(config)# int fa0/0
VPN-HQ(config-if)# crypto map HQ-BR1-MAP
Allow inbound IPSec traffic from the Peer on the external interface
VPN-HQ(config)# ip access-list 102 permit udp host 10.1.1.100 any eq isakmp
VPN-HQ(config)# ip access-list 102 permit esp host 10.1.1.100 any
That completes the configuration on the Cisco Router at the HQ. Repeat the procedure with only changing
1. The Peer IP in the steps for setting the Pre-shared Key & setting Peer.
2. Modify the ACLs for the protected networks
3. Inbound ACL to allow incoming traffic from peer
To verify the configs, use the following show commands:
Display Crypto IKE Policy
VPN-HQ# show crypto isakmp policy
Display Crypto Transform Set
VPN-HQ# show crypto ipsec transform-set
Display Crypto Map entries
VPN-HQ# show crypto map
This is very good note on building VPN. Very easy explaination
thnx man !!
what IOS do i require to make this configuration possible??
Excellent. Easy to understand for a first-timer like me. Thank you.
Your wildcard mask in your ACL is wrong. All traffic will be denied.
should be 0.0.0.255 otherwise your ACL will not work.
Setup a Crypto ACL
This ACL defines the protected traffic that passes through the VPN tunnel. Customize the ACL as per your organisation needs.
VPN-HQ(config)# ip access-list 101 permit ip 172.11.1.0 0.0.0.0 10.11.2.0 0.0.0.0
Is the above access-list statement right . packet tracer not accepting this
The problem is the access-list,the wild card of 0.0.0.0 is expecting an ip add of 172.11.1.0.
NOTE: zesros means i care while ones means i do not care in access-list wild card.