How to Configure Site-to-Site VPN in Cisco Routers
1. Create Internet Key Exchange (IKE) key policy. The policy used in our case is number 10 and it requires a pre-shared key
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
Encryption 3des
Group 2
Lifetime 28800
2. Setup the shared key that would be used in the VPN,
Router(config)#crypto isakmp key 1q2w3e4r address X. X. X.X no-xauth
where,
1q2w3e4r is the shared key that you will use for the VPN, and remember to set the same key on the other end.
X.X.X.X the static public IP address of the other end.
3. Now we set lifetime for the IPSec security associations,
Router(config)#crypto ipsec security-association lifetime seconds YYYYY
Where YYYYY is the association’s lifetime in seconds. It is usually used as 86400, which is one day.
4. Define the transformations set that will be used for this VPN connection,
Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC
where,
SETNAME is the name of the transformations set. You can choose any name you like.
BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des and esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.
5) After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.
Router(config)#crypto map MAPNAME ipsec-isakmp 10
Router(config-crypto-map)#set peer X.X.X.X.
Router(config-crypto-map)#set transform-set SETNAME
Router(config-crypto-map)#match address 123
where,
MAPNAME is a name of your choice to the crypto-map
X.X.X.X. the static public IP address of the other end
SETNAME is the name of the transformations set that we configured in step 4
123 is the number of the access-list that we created to define the traffic in step 7
6) The last step is to bind the crypto-map to the interface that connects the router to the other end.
Router(config-if)#crypto map MAPNAME
where MAPNAME is the name of the crypto-map that we defined in step 5
7) Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,
Router (config)#access-list 123 permit ip X.X.X.X. Y.Y.Y.Y A.A.A.A B.B.B.B
where,
123 is the access-list number
X.X.X.X. Y.Y.Y.Y is the source of the data allowed to use the VPN link.
A.A.A.A B.B.B.B is the destination of the data that need to pass though the VPN link.
8) Deny access-list 123 in NAT access-list
Router(config)#deny ip X.X.X.X. Y.Y.Y.Y A.A.A.A B.B.B.B
Permit ip X.X.X.X. Y.Y.Y.Y any
Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.
For troubleshooting purposes, you can use the following commands,
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active
and show crypto map
No comments:
Post a Comment