Thursday, March 2, 2017

Configuring Site to Site VPN




Configuring Site to Site VPN Tunnel

Routers that will participate on a VPN Site to Site Tunnel will form 2 IKE Tunnels, that is the IKE Phase 1 Tunnel and the IKE Phase 2/IPSec Tunnel.
In order for them to ensure they form such tunnels they need to make sure that all the hashing, Encryption, Lifetime of the tunnels  and other parameters that we will be configuring  are all set the same on both routers.

 IKE PHASE 1 Tunnel Negotiation (Hagle):
Hashing : MD5, SHA 1
Authentication: PSK, RSA Keys
Group (DH): 1,2,5
Lifetime: # Seconds
Encryption: DES,3DES, AES

IKE PHASE 2 Tunnel Negotiation:
Transform Set
Lifetime: # Seconds
Encryption: DES,3DES, AES
Configuring IKE Phase 1

1. Configuring IKE Phase 1 on the R1 and R2.

//R1
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#encryption aes 128
R1(config-isakmp)#hash sha
R1(config-isakmp)#end

//R2
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#hash sha
R2(config-isakmp)#group 2
R2(config-isakmp)#encryption aes 128


2. Create an Identity that will be used to identify the router when communicating with the other Router

NOTE: Use the hostname if the ip address is changing let say the ISP Provides random IP addresses for Security Purposes  but if it is static, you can use the IP address.

//R1
R1(config)#crypto isakmp identity address


//R2
R2(config)#crypto isakmp identity address

3. Create the Key that will be used to identify/Authenticate both Routers:

//R1
R1(config)#crypto isakmp key 0 kisamokey address 23.0.0.2

//R2
R2(config)#crypto isakmp key 0 kisamokey address 192.168.1.1


IKE Phase 1 already Configured


Configuring IPSec Phase 2 Tunnel/IPSec Tunnel:
1.   Creating a Transform Set on Router 1 and Router 2 : 
//R1
R1(config)#crypto ipsec transform-set KISAMOVPN esp-aes 128 esp-sha-hmac

//R2
R2(config)#crypto ipsec transform-set KISAMOVPN esp-aes 128 esp-sha-hmac
2. Configure the IKE Phase 2 Tunnel Life Cycle on Router 1 and Router 2:
//R1
R1(config)#crypto ipsec security-association lifetime seconds 86400

//R2
R2(config)#crypto ipsec security-association lifetime seconds 86400
3. Create  a Mirrored ACL to permit traffic to be transported encrypted and to be received Encrypted both on Router 1 and Router 2: 

//R1
R1(config)#ip access-list extended S2S-VPN-TRAFFIC
R1(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
R1(config-ext-nacl)#exit
R1(config)#

//R2
R2(config)#ip access-list extended S2S-VPN-TRAFFIC
R2(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
R2(config-ext-nacl)#
4. Create a Crypto Map for the IKE Phase 2 Tunnel /Ipsec Tunnel

//RI
R1(config)#crypto map S2S-VPN 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#match address S2S-VPN-TRAFFIC
R1(config-crypto-map)#set peer 23.0.0.2
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set transform-set KISAMOVPN

//R2
R2(config)#crypto map S2S-VPN 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R2(config-crypto-map)#match address S2S-VPN-TRAFFIC
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#set pfs group2
R2(config-crypto-map)#set transform-set KISAMOVPN

5.   Apply the Crypto Map to the Respective interface

//R1
R1(config)# interface serial 0
R1(config-if)#crypto map S2S-VPN
R1(config-if)#exit

//R2
R2(config)# interface serial 1
R2(config-if)#crypto map S2S-VPN
R2(config-if)#exit

5. Verification  Commands

R2#show crypto map
R2#show crypto ipsec transform-set      
R2# show crypto isakmp sa

R#shiow crypto ipsec sa 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)