Cisco Router - Configure Site to Site IPSEC VPN
1. Setup a policy for phase 1 of the tunnel (ISAKMP).
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr aes
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# crypto isakmp key SecretK3y address 1.1.1.2
2. Setup an ACL to define what traffic will be encrypted, and a 'Transform set' that will dictate the encryption and hashing for phase 2 (IPSEC).
R1(config)# ip access-list extended VPN-ACL
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config-ext-nacl)# crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
3. Create a 'Crypto map' that is used to apply the phase 2 settings to an interface.
R1(config)# crypto map VPN-C-MAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set VPN-TS
R1(config-crypto-map)# match address VPN-ACL
4. Apply that crypto map to an interface, (usually the Internet facing one).
R1(config-crypto-map)# interface Serial0/1/0
R1(config-if)# crypto map VPN-C-MAP
R1(config-if)# exit
5. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:
• Permit=Perform NAT
• Deny=Don't perform NAT
On this router (unlike the ASA's that I'm more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.
R1(config)# no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)# exit
6. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP
no access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
7. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!
show crypto isakmp sa
show crypto ipsec sa
1. Setup a policy for phase 1 of the tunnel (ISAKMP).
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr aes
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# crypto isakmp key SecretK3y address 1.1.1.2
2. Setup an ACL to define what traffic will be encrypted, and a 'Transform set' that will dictate the encryption and hashing for phase 2 (IPSEC).
R1(config)# ip access-list extended VPN-ACL
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config-ext-nacl)# crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
3. Create a 'Crypto map' that is used to apply the phase 2 settings to an interface.
R1(config)# crypto map VPN-C-MAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set VPN-TS
R1(config-crypto-map)# match address VPN-ACL
4. Apply that crypto map to an interface, (usually the Internet facing one).
R1(config-crypto-map)# interface Serial0/1/0
R1(config-if)# crypto map VPN-C-MAP
R1(config-if)# exit
5. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:
• Permit=Perform NAT
• Deny=Don't perform NAT
On this router (unlike the ASA's that I'm more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.
R1(config)# no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)# exit
6. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP
no access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
7. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!
show crypto isakmp sa
show crypto ipsec sa