Steps to configure an IPSEC site to site VPN on a Cisco IOS device (GNS3 Lab)

Just some short notes on basic IOS vpns using the topology below as an example. All the configuration examples are for the router Lefty. Grab the GNS3 .net file and initial configs [HERE] if you want to try.

 

VPN Topology

The following five steps need to configured in order to create an IPSEC VPN on a Cisco IOS device.

Desciption
Step 1. ISAKMP policy – Configure what parameters will be used for the IKE phase 1 tunnel
Step 2. Transform Set – Configure what parameters will eb used for the IKE phase 2 tunnel (aka the IPSEC tunnel)
Step 3. ACL – Create an ACL to define what “interesting” traffic will be sent over the VPN
Step 4. Cypto Map – Configured using the previous parameters.
Step 5. Apply – Apply the cypto map to an interface

 

Step 1. – ISAKMP

Lefty#conf t
Lefty(config)#crypto isakmp enable
Lefty(config)#crypto isakmp policy 10
Lefty(config-isakmp)#authentication pre-share
Lefty(config-isakmp)#hash sha
Lefty(config-isakmp)#encryption aes 256
Lefty(config-isakmp)#group 5
Lefty(config-isakmp)#lifetime 3600
Lefty(config-isakmp)#exit
Lefty(config)#crypto isakmp key 0 SuperS3cure address 192.168.1.2
Lefty(config)#crypto isakmp keepalive 10 2 periodic
Lefty(config)#^Z

First of we enter config mode then enable isakmp, although by default it is enabled this probably wont be needed. The policy number is quite important. When the router tries to negotiate an acceptable phase one policy it always starts with the policy closest to 1 then work up in order until a negotiation is successful (using 10 leaves some room for growth if needed)

Now we configure the authentication method. Acceptable options are pre-shared key, RSA-Sig and RSA-Encr. For simplicity we’ll use PSK at the moment. I’ll do another post soon to explain the other options.

Next is the hash method to be used. Options are MD5 and SHA-1 (SHA-1 is the default)

Now we configure the encryption algorithm we want to use. In order of strength AES 256, AES 192, AES 128, 3DES, DES (DES as the default if nothing is explicitly configured)

Group <number> will configure the modulus size of the Diffie-Hellman key exchange. (Group 5 isnt supported on all versions of IOS!)

Group Description
1 The 768-bit Diffie-Hellman group.
2 The 1024-bit Diffie-Hellman group.
5 The 1536-bit Diffie-Hellman group.

(Group 1 is the default)

Lifetime is the time in seconds the Security Association (SA). 3600 = 1 hour (86400 (1 day) is the default)

Since we configured pre-shared key we need to configure the key on a per host basis in main config mode.

Just to emphasize  dead peer detection (DPD) we set it to send keepalives every 10s then every 2s if a keepalive fails. Sent on demand rather than periodically like we have configured is the default.

Verify configuration with “show crypto isakmp policy”

Step 2. – Transform Set

Lefty#conf t
Lefty(config)#crypto ipsec transform-set MYTSETNAME esp-aes 256 esp-sha-hmac
Lefty(cfg-crypto-trans)#mode tunnel
Lefty(cfg-crypto-trans)#^Z

We configure IPSEC tunnel mode using 256 bit AES ecryption and sha-1 hmac.
Various other options are

Lefty(config)#crypto ipsec transform-set MYTSETNAME ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth

Verify with “show crypto ipsec transform-set”

Step 3. – ACL

Lefty#conf t
Lefty(config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

Stright forward extended ACL config to define the “interesting” traffic that will be secured via the VPN.

Step 4. – Crypto Map

Lefty#conf t
Lefty(config)#crypto map LEFTY_TO_RIGHTY 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Lefty(config-crypto-map)#set peer 192.168.1.2
Lefty(config-crypto-map)#match address 101
Lefty(config-crypto-map)#set transform-set MYTSETNAME
Lefty(config-crypto-map)#^Z

We configure the IP or hostname of the opposite end of the tunnel. Configure the “interesting” traffic with the match command then finally configure the transform set to be used.
Verify with “show crypto map”

Step 5. – Apply

Lefty#conf t
Lefty(config)#int fastEthernet 1/0
Lefty(config-if)#crypto map LEFTY_TO_RIGHTY
Lefty(config)#ip route 10.2.2.0 255.255.255.0 192.168.1.2
Lefty(config)#^Z

Apply the configured crypto map to the outgoing interface. We need the static route to point to the router at the other end of the VPN tunnel.

Testing/Verify

The easest way to test is by using and extended ping. So here we use the 10.1.1.1 (fa 1/1) interface on Lefty as the source to ping the 10.2.2.2 address on the Righty router.

Lefty#p
Protocol [ip]:
Target IP address: 10.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms

Now the ping has setup the VPN because of its “interesting” traffic (the first ping is lost in the VPN creation). We can verify with “show crypto engine connections active”

Lefty#show crypto engine connections active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec AES256+SHA 0 4 192.168.1.1
2 Fa0/0 IPsec AES256+SHA 4 0 192.168.1.1
1001 Fa0/0 IKE SHA+AES256 0 0 192.168.1.1

You can see we have one IKE connection and an IPSEC tunnel for each direction.

m00nie 🙂

Comments

  • It’s amazing…..i had this a project at work and your five steps made it incredible easy to understand and implement. thank you

  • This is so simple the way you present it. Will this also work in the case where, say, Lefty has a static IP address, but Righty does not? Can I configure the step with the IP address of the peer using a wildcard value? Or do I have to use some other VPN configuration? I have a Cisco 2901 and a Cisco 800. Thanks so much.

  • Hi m00nie

    Very nice job. I have a question, in step 5 you apply “crypto map” to interface fastEthernet 0/0, but in you picture only have interfaces f1/0 and f1/0, is a mistake?

    Thanks in advanced

  • Hi Roberto

    Glad it was of some use 🙂 Its was my typo so thanks for pointing it out. I’ve fixed it now.
    Cheers

    m00nie

  • Hi m00nie,

    Nicely presented the concept.
    Can you share your understanding about the inner communication(handshakes) happens in IKE phase1 and IKE phase2.

    Thanks in Advance

  • in case of nat:
    1.do not allow the vpn traffic out of the nat.
    2.allow all the rest from the lan
    3.activate the nat…..

    Lefty(config)#access-list 111 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
    Lefty(config)#access-list 111 permit ip 10.1.1.0 0.0.0.255 any
    Lefty(config)#ip nat inside source list 111 interface Dialer0 overload

    hope it will help.

  • ❓ I have tried this lab because the ones I created to learn site-to-site VPN were not working.

    I’m getting the same problem here. I’m in GNS3 using and I opened the files supplied and entered the configuration shown here exactly. The phase 1 isakmp process never completes. Using wireshark, I never see a iskamp packet leave the 192.168.1.0 interface.

    debugs show only this when reapplying crypto map
    ISAKMP: callback: no SA found for 0.0.0.0/0.0.0.0 [vrf 0]

    Anyone else have this problem, or know how or why this might happen? (i can send configs but I’ve combed thru them for days and done it from scratch three times plus copying this lab.)

    Super stuck.

  • How do I make this work on a c2901 router…the crypto isakmp command is not recognized

  • Hi Elijah

    I’d guess its a image limitation. Probably best to check the Cisco feature navigator to check your image.
    Cheers

    m00nie

  • please tell me the protocol ip in testing and verifying section and how to get the value of average packet loss and jitter value….

  • Hi Pankaj

    Im not too sure what you mean? “Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms” is just the output from the extended ping on the router.
    Cheers

    m00nie

  • Like the article, but I am not sure it works, if I just use:

    ip route 10.1.1.0 255.255.255.0 192.168.1.1
    access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

    on right, and opposite on left I can ping across it. Makes since, I allowed access and created a static route, what is the benefit of the VPN in this case

  • hey m00nie, great job on the IPSEC VPN info.
    You’ve laid it out plain and simple. The concepts here are easy to understand and easy to remember.
    Thanks again mate, appreciate you time and efforts into this. Regards.

  • Hello m00nie

    Thank you for putting this together.

    I have tried this in the lab and it does not seem to work.

    Can you please upload the finished config for GNS3. that would be really help.
    many thanks
    Upen Desai

  • Configured as mentioned in scenario. connected two pc’s using VPC in gns3 and applied ip 10.1.1.1 with lefty and f0/0 10.1.1.254 and for righty viz.

    But the following shown , which ip must i mention there?

    Source address or interface: 10.1.1.1
    % Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)

  • Hello friends,

    I need to establish Ipsec tunnel for my client.
    I have 2 links primary and secondary at both side.
    Protocol would be BGP. How can i make a Ipsectunnel fail over when primary link fails. please help me with the scenario & config.

  • Hi there.I have got a problem.When i want to config vpn configuration on router 3600, it does not accept the crypto command.how can i so;lve this problem? thanks

  • Hi Sumon

    Give it a try? 🙂 You will need a static to get the tunnel built but after than you can run an IGP through the tunnel
    Cheers

    m00nie

  • Chief M00nie,

    Very good work here, I commend your effort. Apologies for stepping on your blog but, i do not think you need a static route, except you are using GNS routers to emulate the 2 PC’s connected to lefty and righty. If this is not the case, Any IGP configured on the two routers should provide you with end to end reach-ability. Once this is achieved, then you can apply your IPsec VPN configuration on both devices, and packets matched by the ACL “should” be encrypted as they pass through the lefty and righty link.

    My two cents.

  • Hi address-family

    The idea of the lab is that the internet is in between the two remote routers so an IGP wouldnt really work 🙂
    Cheers

    m00nie

  • Hi , what is the ios image and version used in this lab? i want to try it on GNS3 and this ios image doesnt work – (C3745-ADVENTERPRISEK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)

    thanks!

  • Hi Moonie ,

    I need a little help on my config. It doesnt WORK 🙁

    R2#sh crypto map
    Crypto Map “S2toS1” 10 ipsec-isakmp
    Peer = 192.168.1.1
    Extended IP access list 101
    access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    Current peer: 192.168.1.1
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
    MYSETNAME,
    }
    Interfaces using crypto map S2toS1:
    FastEthernet0/0

    R2#

    R1#sh crypto map
    Crypto Map “S1toS2” 10 ipsec-isakmp
    Peer = 192.168.1.2
    Extended IP access list 101
    access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
    Current peer: 192.168.1.2
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
    MYSETNAME,
    }
    Interfaces using crypto map S1toS2:
    FastEthernet0/0

    R1#

    R1 – Fa0/0 – Fa0/0 – R2

  • Thanks for making this lab. It was very helpful! I got it to work using the instructions, but when I ping from PC to PC I don’t see the tunnel form and I can still ping? When I ping from lefty using the PC’s address as the source. The tunnel forms and I can see the debug statements in the log. Why doesn’t the tunnel form when pinging from the PC?

  • Hi Fred

    Im not too sure what you mean by the description you’ve given. How were you pinging from the router using the PCs IP? Whats the addresses you have used on each of the test hosts and can they ping their own gateways?
    Cheers

    m00nie

  • Hello, Thank you very much for providing us this useful solution. Would you please send me a solution for another scenario ? which is . one core router in HO 3 other routers in different branch and doing VPN on It. I would be very pleased if you email me this solution in my email : jeewan_acit@outlook.com… You can also send this soln to me on packet tracer. Thank you.

  • Hi Wajid

    Yes you’ll need to configure righty too. The config snippets are just an example and hopefully help you see what would be needed for righty 🙂
    Cheers

    m00nie

  • i was searching all over the internet for easy and well explained example of vpn and your post made it so easier to understand it ! thanks a lot !!!

  • Hi Larry

    I kept NAT away from the lab since its really just to show the IPSEC config as simply as possible 🙂
    Cheers

    m00nie

  • can somebody please verify the last step for me
    Step 5. – Apply
    Lefty#conf t
    Lefty(config)#int fastEthernet 1/0
    Lefty(config-if)#crypto map LEFTY_TO_RIGHTY
    Lefty(config)#ip route 10.2.2.0 255.255.255.0 192.168.1.2
    Lefty(config)#^Z

    Lefty(config)#ip route 10.2.2.0 255.255.255.0 192.168.1.2 im getting % Invalid input detected at ‘^’ marker.

  • Hi Charles

    Its a little bit tough to say from the the format of your post but it looks like you may already have the static route configured? Whats the output from show run | i ip route?
    Cheers

    m00nie

Leave a Reply