In this post I will explain how to set up a site to site VPN on Cisco routers. First of all we need our network setup like this.
Once we have set up the network we need to assign IP address according to the dirgram. The next part will be to set up the VPN. This is done is 2 stages for first is Internet Security Association and Key Management Protocol (ISAKMP) and the second is IPSec.
To begin with we need to enable isakmp. This is done in globle configuration mode.
crypto isakmp enable
now we need to define an isakmp policy.
crypto isakmp policy 1
In the ISAKMP we need to define the following things.
1. Authentication type
2. encryption type
3. hash type
4. Diffie-Hellman key strength
5. Tunnel life time.
There are 3 types of encryption that we can use. DES, 3DES and AES. AES is the most secure encryption compared to DES and 3DES. The strongest key you can use is a 256-bit AES key where 3DES uses 128-bit keys. There are 2 types of hash that we can use MD5 and SHA. You can use any hashing as long as it’s the same on both sides. Next we need to select the Diffie-Hellman key strength. This is set in groups. Group 1 has a strength of 768-bits group 2 has a strength of 1024-bits and group 5 has a strength of 1536-bits. So our command would look like the below.
! crypto isakmp policy 1 authentication pre-share hash sha encryption aes 128 group 2 lifetime 86400 !
We need to make sure that the Policy matches on both sides or our VPN will not work. Next we need to define our pre-shared key and set the identity. The identity can be set as in IP address or as a host name. For this example we are using IP address.
! crypto isakmp identity address ! crypto isakmp key 0 VPNKEY address 98.188.188.210 !
We need to do the same on the other side but change the address to the address of R1. Now we can move on to the IPSec part. We first need to creat a transform set for the IPSec tunnel. This is the hash and encryption we are going to use. As before we will use AES 128 bit and SHA hashing.
! crypto ipsec transform-set VPNCON esp-aes 128 esp-sha-hmac !
Now we can set up the tunnel time. This is the life time for the tunnel before it tears it down and recreates the session.
! crypto ipsec security-association lifetime seconds 600 !
We now need to create an access list to match the traffic we went to uses the VPN for.
! ip access-list extended STS-VPN permit ip 172.16.10.0 0.0.0.255 192.168.1.0 0.0.0.255 !
This access list will now permit the 172.16.10.x network to use the VPN while trying to access the 192.168.1.x network. We now need to create a crypto map that will set our policies all together
! crypto map VPN 100 ipsec-isakmp match address STS-VPN set peer 98.188.188.210 set transform-set VPNCON !
Now we have created the crypto map we need to apply it to the out-bound interface.
! interface FastEthernet 0/0 crypto map VPN !
This config has to match on the other side as well. The difference is in the access-list and the peer address. The access-list has to be mirrored on the other side so 192.168.1.0 then 172.168.10.0. Now when we try to access the 172.16.10.x network from R1and we should be able to get there.
Now lets chek the VPN on R2 using “show crypto ipsec sa”
We can see that we have 117 decrypted packets showing our VPN is working correctley.