enetworktutor.com : Cisco Router to Router IPSec VPN Tutorial

In this example we need to set up a tunnel between router A & router B & encrypt traffic that is sent between workstations on the LAN segment at site A (30.1.1.0/24) & the database server (20.1.1.100) located on the Corporate HQ LAN.

The first thing we will need to do on both routers is define the IKE parameters. In this example, we will use 3DES encryption, a pre-shared secret, & Diffie Hellman Group 2 (PFS). The shared key will be “cisco”.

SYNTAX	DESCRIPTION
router A
conf t	Enter global configuration mode
access-list 110 permit ip 30.1.1.0 0.0.0.255 host 20.1.1.100	Identifies traffic to be encrypted

router B
conf t	Enter global configuration mode
access-list 110 permit ip host 20.1.1.100 30.1.1.0 0.0.0.25	Identifies traffic to be encrypted

SYNTAX	DESCRIPTION
router A
conf t	Enter global configuration mode
crypto ipsec transform-set mytransform esp-3des esp-sha-hmac	Defines IPSec protocols & algorithms and uniquely names it “mytransform"
crypto map RouterAtoB 10 ipsec-isakmp	Creates crypto map named “routerAtoB”
set peer 10.1.1.1	Defines serial IP address of router B as the peer address
set transform-set mytransform	Associates recently created transform with crypto map
set pfs group2	Configures perfect forward secrecy and DH Group 2 exchange during SA negotiation

router B
conf t	Enter global configuration mode
crypto ipsec transform-set mytransform esp-3des esp-sha-hmac	Defines IPSec protocols & algorithms & uniquely names it “mytransform"
crypto map RouterAtoB 10 ipsec-isakmp	Creates crypto map named “routerAtoB”
set peer 10.1.1.2	Defines serial IP address of router B as the peer address
set transform-set mytransform	Associates recently created transform with crypto map
set pfs group2	Configures perfect forward secrecy and DH group 2 exchange during SA negotiation

SYNTAX	DESCRIPTION
router A & B
conf t	Enter global configuration mode
crypto isakmp policy 1	Defines IKE policy
encr 3des	Configures policy for 3DES encryption
authentication pre-share	Configures policy for using pre-shared keys
group 2	Configures policy for using Diffie-Hellman Group 2

SYNTAX	DESCRIPTION
router A
conf t	Enter global configuration mode
crypto isakmp key cisco address 10.1.1.1	Defines pre-shared key (password) as “cisco” for peer router B

router B
conf t	Enter global configuration mode
crypto isakmp key cisco address 10.1.1.2	Defines pre-shared key (password) as “cisco” for peer router A

Next, we will define the key and peer gateway address associated with this key:

We are almost finished! The next task is to define access-list 110, which will specify which IP packets will be encrypted by the crypto map. Since we want all traffic that is sent & received between site A workstations (30.1.1.0/24) and the database server (20.1.1.100) to be encrypted, we would define the access-list the following way:

Since there’s an implicit deny at the end of an access-list, any other traffic not matching either statement will not be encrypted, but will simply be forwarded out normally without encryption.

Next, we must make sure the crypto map is applied to the outbound interface of the router, from which the tunnel is originated and terminated. Since both routers are using their serial interface & the same crypto-map name, the command will be the same for both routers:

If you wanted to encrypt traffic over the internet and not over a dedicated WAN link (as in this illustration), the only thing really different is to make sure the router has a route to the gateway address of the peer router & internet connectivity. This is important since the two routers will not be “directly” connected over the same WAN segment.

SYNTAX	DESCRIPTION
router A & B
conf t	Enter global configuration mode
Interface serial 0/0	Enter Interface-config mode
crypto map RouterAtoB	apply crypto map named "routerAtoB" to interface

The last thing to do is to simply make sure the routes to & from the source / destination hosts are there. This can be done with either static routing or a routing protocol.