Home > Articles > IPSec VPN

IPSec VPN

Chapter Description

In this sample chapter from CCIE Routing and Switching v5.1 Foundations: Bridging the Gap Between CCNP and CCIE, learn how the Internet Security Association and Key Management Protocol (ISAKMP) and IPSec are essential to building and encrypting VPN tunnels.

Lab 13-2: Basic Site-to-Site IPSec VPN and NAT

Figure 13-2

Figure 13-2 Configuring Basic Site-to-Site IPSec VPN and NAT

Figure 13-2 illustrates the topology that will be used in the following lab.

Task 1

Reachability to the loopback interfaces of R1 and R3 should be provided using static routes based on the following policy:

  • R1 and R3 should be configured with a static default route pointing to R2.

  • R2 should be configured with two static routes: one for network 1.1.1.0/24 through R1, and the second for 3.3.3.0/24 through R3.

On R1:

R1(config)# ip route 0.0.0.0 0.0.0.0 12.1.1.2

On R3:

R3(config)# ip route 0.0.0.0 0.0.0.0 23.1.1.2

On R2:

R2(config)# ip route 1.1.1.0 255.255.255.0 12.1.1.1
R2(config)# ip route 3.3.3.0 255.255.255.0 23.1.1.3

Let’s test the configuration:

On R1:

R1# ping 3.3.3.3 source loopback0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms

Task 2

Configure static network address translation (NAT) on R2 so that R1’s S1/2 IP address is seen on R3 as 23.1.1.1:

On R2:

R2(config)# interface Serial1/1
R2(config-if)# ip nat inside

R2(config)# interface Serial1/3
R2(config-if)# ip nat outside
R2(config-if)# exit

R2(config)# ip nat inside source static 12.1.1.1 23.1.1.1

Let’s verify the configuration:

On R2:

R2# show ip nat translations

Pro Inside global    Inside local       Outside local      Outside global
--- 23.1.1.1         12.1.1.1           ---                ---

Task 3

Configure a basic site-to-site IPSec VPN to protect traffic between 1.1.1.1 and 3.3.3.3 networks using the policy shown in Table 13-2.

Table 13-2 Policy Guidelines for Configuring Task 3

SAKMP Policy IPSec Policy
Authentication: Pre-shared Encryption: ESP-3DES Hash: MD5 Hash: ESP-MD5-HMAC
DH Group: 2 Proxy-ID/Crypto ACL: 1.1.1.1 ←→ 3.3.3.3
Encryption: 3DES
PSK: cisco

By now we have a step-by-step process for IPSec configuration that we can use:

  • Step 1. Configure ISAKMP using pre-shared authentication, MD5 hashing, DH group 2, and a PSK of “cisco” on both R1 and R3:

On R1:

R1(config)# crypto isakmp policy 10
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# encryption 3des
R1(config-isakmp)# exit

On R3:

R3(config)# crypto isakmp policy 10
R3(config-isakmp)# hash md5
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 2
R3(config-isakmp)# encryption 3des
R3(config-isakmp)# exit
  • Step 2. Configure the ISAKMP key and identify the peer:

On R1:

R1(config)# crypto isakmp key cisco address 23.1.1.3
On R3:

R3(config)# crypto isakmp key cisco address 23.1.1.1
  • Step 3. Configure the IPSec transform set to use DES for encryption and MD5 for hashing:

On R1 and R3:

Rx(config)# crypto ipsec transform-set TSET esp-des esp-md5-hmac
Rx(cfg-config-trans)# exit
  • Step 4. Define interesting traffic:

On R1:

R1(config)# access-list 100 permit ip host 1.1.1.1 host 3.3.3.3

On R3:

R1(config)# access-list 100 permit ip host 3.3.3.3 host 1.1.1.1
  • Step 5. Configure a crypto map and reference the peer, the crypto ACL, and the transform set configured in the previous steps:

On R1:

R1(config)# crypto map TST 10 ipsec-isakmp
R1(config-crypto-map)# set peer 23.1.1.3
R1(config-crypto-map)# match address 100
R1(config-crypto-map)# set transform-set TSET
R1(config-crypto-map)# exit

On R3:

R3(config)# crypto map TST 10 ipsec-isakmp
  • The peer IP address should be the translated IP address:

R3(config-crypto-map)# set peer 23.1.1.1
R3(config-crypto-map)# match address 100
R3(config-crypto-map)# set transform-set TSET
R3(config-crypto-map)# exit
  • Step 6. Apply the crypto map to the outside interface:

On R1:

R1(config)# interface Serial1/2
R1(config-if)# crypto map TST

On R3:

R3(config)# interface Serial1/2
R3(config-if)# crypto map TST
  • Now let’s test the configuration:

On R1:

R1# ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 88/91/92 ms

R1# show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
23.1.1.3        12.1.1.1        QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1# show crypto ipsec sa | include #pkts

    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0

R1# show crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
 1001  IKE     MD5+3DES                  0        0        0 12.1.1.1
 2001  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2002  IPsec   DES+MD5                   4        0        0 12.1.1.1

Erase the startup configuration of the routers and reload them before proceeding to the next lab.

3. Lab 13-3: Configuring GRE/IPSec Tunnel Mode, Transport Mode, and S-VTI | Next Section Previous Section

There are currently no related articles. Please check back later.