IPSec Tunnel Between Cisco Routers | Site to Site VPN Between Cisco Routers

Posted by January 2, 2024 in CCNA

In this article, we will discuss, how you can configure IPSec Tunnel between Cisco Routers at different locations. IPsec Tunnel allows you to communicate securely to the remote office over the Internet. All the traffic through the IPSec tunnel will be encrypted by the various Encryption and Hashing algorithms. You must need static routable IP addresses, to establish the IPSec connectivity. So, let’s get started!

Scenario – How to Configure IPSec VPN between Cisco Routers

Here, we have two different Cisco Routers at different locations. Router R1 connected with the ISP using public IP 1.1.1.1, and the LAN subnet is 192.168.1.0/24. On the other hand, Router R2 connected with the ISP using public IP 2.2.2.2 and the LAN subnet is 192.168.2.0/24. You must verify the connectivity between R1 and R2.

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/31/40 ms

ipsec-tunnel-between-cisco-routers

 

Requirements for IPSec VPN

As earlier discussed, we must have static routable IP addresses to establish an IPSec tunnel. Along with the IP addresses, we also have to configure ISAKMP Phase 1 and ISAKMP Phase 2 ( IPSec). Also, we need to provide a Pre-Shared Key during Phase1 Configuration. So, the summary of the requirements are:

  • Static Routeable IP address
  • Phase 1 configuration
  • Phase 2 configuration
  • Pre-Shared Key
  • Crypto Map and ACL Configuration

How to Configure IPSec VPN on Cisco Routers

First, we will configure all the configurations on Router1. After that, we will move on router two and configure all the required configuration.

Configuring the IPSec Tunnel on Cisco Router 1

Configuring the Phase 1 on the Cisco Router R1

I assumed that you have reachability to the Remote Network. Now, we will configure the Phase 1 Parameters on Router1. You need to access the global configuration mode of the Cisco Router and configure the below parameters. For ISAKMP Phase1, we will use the following parameters:

  • Encryption: 3des (It is used to encrypt the Phase1 traffic).
  • Hash: md5 ( md5 is a hashing algorithm. It authenticates our data using Hash)
  • Group: 2 (Diffie Hellman Group 2)
  • Authentication: In this example, we are using the pre-shared key as authentication)
  • Lifetime: 86400 ( Default lifetime for the Phase1)
R1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#crypto isakmp policy 1

R1(config-isakmp)#encryption 3des

R1(config-isakmp)#hash md5

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#group 2

R1(config-isakmp)#lifetime 86400

Now, we need to define a pre-shared key. Access the global configuration mode of the router and define the Pre-Shared key. I am using Gns3Network as a Pre-Shared Key.

  • Pre-Shared Key: Gns3Network
  • Remote Site Router IP Address: 2.2.2.2
R1(config)#crypto isakmp key Gns3Network address 2.2.2.2

Configuring the Phase 2 on the Cisco Router R1

Now, we need to configure the IPSec VPN Phase 2 Parameters. Here, you need to define the IPSec Protocol i.e. AH (Authentication Header) or ESP (Encapsulation Security Payload). Along with the Protocol, we also need to define the Encryption and Hashing algorithms. In this example, I am using the below parameters:

  • IPSec Protocol: ESP (Encapsulation Security Payload)
  • Encryption: 3DES
  • Hashing: md5
R1(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

Configuring the Extended ACL and Crypto MAP

Now, we need to configure the Extended ACL and Crypto MAP to match the traffic.

R1(config)#ip access-list extended IPSEC_List

R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

This ACL (Access Control List) will match the traffic of our Local LAN and we will use this ACL in Crypto MAP Configuration.

R1(cfg-crypto-trans)#crypto map CMAP 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

R1(config-crypto-map)#set peer 2.2.2.2

R1(config-crypto-map)#set transform-set TSET

R1(config-crypto-map)#match address IPSEC_List

Now, we need to apply this crypto Map to the Outgoing Interface.

R1(config)#interface FastEthernet 0/0

R1(config-if)#crypto map CMAP

Excluding the IPSec VPN Traffic from the NAT (Optional)

Now, we need to exclude the VPN Traffic from the NAT. NAT stands for Network Address Translation which is commonly used for providing Internet Connectivity to the Internal Hosts. If NAT is not configured in your environment, you can skip this step.

Recommended:  How to configure IPSec Tunnel between Palo Alto and SonicWall Firewall

Here, we have to create an extended ACL that denies only the IPSec traffic and permit Internet traffic.

R1(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any

Now, just configure the NAT using this extended List.

R1(config)#ip nat inside source list 100 interface FastEthernet 0/0 overload

*Jan 12 16:20:19.555: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

R1(config)#in FastEthernet0/0

R1(config-if)#ip nat outside

R1(config-if)#in FastEthernet1/0

R1(config-if)#ip nat inside

Configuring the IPSec Tunnel on Cisco Router 2

Now, we already described all the parameters used in the IPSec tunnel. We will configure all the configurations on the remote router R2.

Recommended:  TCP and UDP - Everything you need to know - 2023

Configuring the Phase 1 on the Cisco Router R2

R2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#crypto isakmp policy 1

R2(config-isakmp)# encryption 3des

R2(config-isakmp)# hash md5

R2(config-isakmp)# authentication pre-share

R2(config-isakmp)# group 2

R2(config-isakmp)# lifetime 86400
R2(config)#crypto isakmp key Gns3Network address 1.1.1.1

Phase 2 configuration on the Cisco Router R2

R2(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac

Configuring the Extended ACL and Crypto MAP

R2(cfg-crypto-trans)#ip access-list extended IPSEC_List

R2(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R2(config-ext-nacl)#crypto map CMAP 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.R2(config-crypto-map)#set peer 1.1.1.1

R2(config-crypto-map)#set transform-set TSET

R2(config-crypto-map)#match address IPSEC_List
R2(config)#interface FastEthernet 0/0

R2(config-if)#crypto map CMAP

*Jan 12 16:26:41.991: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Excluding the IPSec VPN Traffic from the NAT (Optional)

R2(config)#access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

R2(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 any

Now, just configure the NAT using this extended List.

R2(config)#ip nat inside source list 100 interface FastEthernet 0/0 overload

*Jan 12 16:20:19.555: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

R2(config)#in FastEthernet0/0

R2(config-if)#ip nat outside

R2(config-if)#in FastEthernet1/0

R2(config-if)#ip nat inside

Testing the Configuration of IPSec Tunnel

We have done the configuration on both the Cisco Routers. However, we need to initiate the traffic towards the remote networks to make the tunnel up and run. So, just initiate the traffic towards the remote subnet.

R1#ping 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.!!!!

The success rate is 80 percent (4/5), round-trip min/avg/max = 20/28/48 ms

The first packet is dropped due to the ARP request and response. However, no further drops after the ARP Packet.

Recommended:  [Solved] The peer is not responding to phase 1 ISAKMP requests

Analyzing IPSec Tunnel traffic using the Wireshark

As in Phase2 configuration, we chose IPSec ESP Protocol as well as some Encryption and Authentication. So, all the traffic towards the remote network will be encrypted and you will only find ESP Packets.

ipsec-tunnel-traffic-captured-using-wireshark

Related Articles

References

https://en.wikipedia.org/wiki/IPsec

Summary

Hey! In this article, we configured IPSec VPN on Cisco Routers. We discussed the requirements for the IPSec VPN. After, we configure Phase1 and Phase2 on Cisco Router R1. The same configuration is done on the Cisco Router R2. You must need the static routable IP address to establish an IPSec Tunnel between both the routers.

Hope you like this article! Please let us know your questions in the comment box below!

1 Comment

  1. Hello,

    Thank you for your awesome guideline. I followed and it worked like magic for me.

    I have a challenge doing configs using IPsec profiles.
    Once I have applied the IPsec profile to a tunnel interface, the tunnels go down and a new int (NVI0 ) is added.

    Could you please share insight on the configs, I am currently following the ENCOR OCG Chapter 16.

    Thanks.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *