Professional Documents
Culture Documents
by Michael T. Durham
In part two of NetCertLabs Cisco CCNA Security VPN lab series, we will explore setting up a site-to-site VPN connection
where one side is the corporate office with a static IP address and the other side is a home office with a dynamic IP address.
One important note to keep in mind when it comes to this implementation, is that site-to-site VPN networks with dynamic
remote Public IP addresses can only be brought up by the remote site router as only they are aware of the Corp router's
Public IP address.
This type of connection as well as the one in the Cisco IPSec VPN lab 1 is a NBMA (Non Broadcast Multi Access) network and
does not pass multicast packets therefore, you must use static routes for routing your network. Protocols such as RIP,
EIGRP, and OSPF will not work across this type of connection. If your situation requires these types of protocols, you will
need to setup a GRE VPN tunnel.
IPSec VPN tunnels can also be configured using GRE (Generic Routing Encapsulation) Tunnels with IPSec encryption and SSL
(Secure Socket Layer) VPN's are recommended when sending sensitive data over the Internet. GRE VPN tunnels will be
covered in another document.
Cisco IOS includes IPSec support, beginning with early versions of IOS Version 12; however the commands have changed
during the evolution of IOS Version 12 point releases.
ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the
VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on
how to build an IPSec security association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.
Cisco supports only one IKE policy per router, so you must design one which is acceptable to all systems you are going to
interoperate with. Assign it an ordering number of 10. If you wanted to have more than one proposal in the policy, the
proposals would be given in order defined by this policy order number.
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects
data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption
and anti-replay services.
NetCertLabs' goal is to provide you with the basic knowledge necessary to pass your desired exam or just help you get your
lab setup and working so you can learn each subject. Another one of NetCertLabs' goals is to provide you with CLEAR and
concise step-by-step instructions of KNOWN working configurations.
For a more in-depth study of IPSec VPN's, visit Cisco's website's Video Training Series at:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
DHCP Server
192.168.0.0/24
fa0/0
s0/0
Corp
VPN
208.51.24.8
192.168.0.1
Internet
192.168.1.0/24
s0/0
fa0/0
Home
Dynamic IP
192.168.1.1
This lab will show you how to setup and configure three Cisco routers to create a permanent secure site-to-site VPN tunnel
over the Internet, using the IP Security (IPSec) protocol. In this lab we assume that you have your Ethernet and serial ports
already configured and both Cisco routers have a static IP address.
In the above lab there are public IP addresses utilized to give you a more realistic understanding of what happens where.
Since your routers in this lab are NOT connected to the Internet there will not be any IP address conflicts. Please make sure
that your lab is disconnected from any equipment that could provide Internet connectivity.
If you are interested in configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
see the CCNA/CCNA Security Lab 3. NetCertLabs has several additional CCNA/CCNA Security labs for you to learn with on
our web site as well as many other labs to help you earn the certification you are seeking.
The following five steps need to be configured in order to create an IPSEC VPN on a Cisco IOS device with a Dynamic IP.
Step 1. ISAKMP policy Configure what parameters will be used for the IKE phase 1 tunnel
Step 2. Transform Set Configure what parameters will be used for the IKE phase 2 tunnel (aka the IPSEC tunnel)
Step 3. ACL Create an ACL to define what interesting traffic will be sent over the VPN
Step 4. Cypto Map Configured using the previous parameters.
Step 5. Apply Apply the cypto map to an interface
Now we configure the encryption algorithm we want to use. In order of strength AES 256, AES 192, AES 128, 3DES, DES
(168-bit Triple DES is the default if nothing is explicitly configured).
Corp(config-isakmp)#encryption 3des
Group <number> will configure the modulus size of the Diffie-Hellman key exchange. (Group 5 isn't supported on all
versions of IOS!).
Group
1
2
5
Description
The 768-bit Diffie-Hellman group.
The 1024-bit Diffie-Hellman group.
The 1536-bit Diffie-Hellman group.
Corp(config-isakmp)#group 5
Lifetime, is the time in seconds for the Security Association (SA). 3600 = 1 hour (86400 (1 day) is the default).
Corp(config-isakmp)#lifetime 3600
Since we configured pre-shared key we need to configure the key on a per host basis in main config mode.
Corp(config)#crypto isakmp key 0 K3y4vPnLab address 0.0.0.0 0.0.0.0
The peers pre-shared key is set to K3y4vPnLab and note that we are defining a remote public IP address of 0.0.0.0 0.0.0.0.
This tells our Corp router that the remote Branch router has a dynamic public IP address and ensures it will try to negotiate
and establish a VPN tunnel with any router that requests it.
To keep our VPN up and connected when traffic may not be passing, we use dead peer detection (DPD) by setting isakmp to
send keepalives every 10 seconds then every 2 seconds if a keepalive fails. Sent on demand rather than periodically like we
have configured is the default. Not all versions of the IOS support this.
Corp(config)#crypto isakmp keepalive 10 2 periodic
Verify configuration with show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm:
hash algorithm:
authentication method:
Diffie-Hellman group:
lifetime:
Default protection suite
encryption algorithm:
hash algorithm:
authentication method:
Diffie-Hellman group:
lifetime:
Step 3. ACL
This step is to create an access-list and define the traffic we would like the router to pass through each VPN tunnel. In this
example, for the first VPN tunnel it would be traffic from headquarters (192.168.0.0/24) to remote site 1 (10.0.0.0/24).
Access-lists that define VPN traffic are sometimes called crypto access-list or interesting traffic access-list. The easiest way
that I found to remember which IP address goes where is with the phrase "me them". "Me" is the router you are working on
and "Them" is the router that you are connection your VPN to.
Corp(config)#ip access-list extended ACL_VPN_CORP_TO_BRANCH
Corp(config-ext-nacl)#remark Allow IP traffic over the CORP_TO_BRANCH VPN
Corp(config-ext-nacl)#permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Step 5. Apply
The final step is to apply our crypto map to the public interface of the headquarter router, which is FastEthernet0/1. In many
cases, this might be a serial or ATM (ADSL - Dialer) interface:
Comp(config)#int Serial 0/0
Comp(config-if)#crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP
After you enter the crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP, you will see that ISAKMP is turned
on.
*Mar
Note that you can assign only one crypto map to an interface. At this point, we have completed the IPSec VPN configuration
on the Corp router.
We now move to the Branch router to complete the VPN configuration and we can now move to the remote endpoint
router.
------------- Branch Router ------------Our remote router connects to the Internet and is assigned a dynamic IP address which changes periodically by the ISP. In
most part, the configuration is similar to that of the Corp router, but with a few minor changes.
In the configuration below, IP address 50.137.15.9 represents the public IP address of our Corp router.
Step 1. ISAKMP
Branch(config)#crypto isakmp enable
Branch(config)#crypto isakmp policy 10
Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#hash sha
Branch(config-isakmp)#encryption 3des
Branch(config-isakmp)#group 5
Branch(config-isakmp)#lifetime 3600
Branch(config)#crypto isakmp key K3y4vPnLab address 50.137.15.9
Branch(config)#crypto isakmp keepalive 10 2 periodic
Step 3. ACL
Branch(config)#ip access-list extended ACL_VPN_BRANCH_TO_CORP
Branch(config-ext-nacl)#remark Allow IP traffic over the BRANCH_TO_CORP VPN
Branch(config-ext-nacl)#permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
Step 5. Apply
Branch(config)#int Serial 0/0
Branch(config-if)#crypto map BRANCH_TO_CORP_VPN
Branch#show crypto
ID Interface
1 Serial0/0
2001 Serial0/0
2002 Serial0/0
Encrypt
0
0
9
Decrypt
0
5
0
You can see we have one IKE connection and an IPSEC tunnel for each direction.
Some other diagnostic tools are:
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 50.137.15.9 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 50.137.15.9
Desc: (none)
IKE SA: local 209.87.55.2/500 remote 50.137.15.9/500 Active
Capabilities:D connid:1 lifetime:00:41:18
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 4565873/2479
Outbound: #pkts enc'ed 9 drop 6 life (KB/Sec) 4565872/2479
Branch#show crypto isakmp sa
dst
50.137.15.9
src
209.87.55.2
state
QM_IDLE
The easiest way to clear SAs from a Cisco IOS system varies with version, but one of these two will generally work:
clear crypto isakmp
clear crypto sa
To enable debugging in IOS, you must turn on the debug as well as turn on the debug monitor, which is normally the
terminal you are logged in on:
debug crypto verbose
debug crypto isakmp
term monitor
To disable debugging:
u all
term no monitor
And many many more. Just remember to use the ? at the end of the command as you type it to see what other options
exist. When you only see <cr> by itself then you know here are no other commands possible. You can also use the debug
command too.
192.168.0.100
fa0/0
s0/0
192.168.0.1
Internet
50.137.15.9
Branch
10.0.0.1
s0/1
s0/0
Corp
s0/2
fa0/0
Dynamic IP
10.0.20.100
.1
s0/0
VP N
fa0/0
Home
10.0.20.1
Many time you many need to add more than one remote site that gets its IP address dynamically. This is quite easy to
accomplish with just a few additional commands on the Corp router.
------------- Corp Router ------------First we need to add an access-list for each remote network.
Corp(config)#ip access-list extended ACL_VPN_CORP_TO_HOME
Corp(config-ext-nacl)#remark Allow IP traffic over the CORP_TO_HOME VPN
Corp(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 10.0.20.0 0.0.0.255
Then add to the dynamic-map each additional location.
Corp(config)#crypto dynamic-map DYNAMIC_CORP_VPN 20
NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.
Step 3. ACL
Home(config)#ip access-list extended ACL_VPN_HOME_TO_CORP
Home(config-ext-nacl)#remark Allow IP traffic over the CORP_TO_HOME VPN
Home(config-ext-nacl)#permit ip 10.0.20.0 0.0.0.255 192.168.0.0 0.0.0.255
Step 5. Apply
Home(config)#int Serial 0/0
Home(config-if)#crypto map HOME_TO_CORP_VPN
192.168.0.100
255.255.255.0
192.168.0.1
Branch PC
IP Address
Mask
Gateway
10.0.0.100
255.255.255.0
10.0.0.1
Home PC
IP Address
Mask
Gateway
10.0.20.100
255.255.255.0
10.0.20.1
Corp Router
!
hostname Corp
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key K3y4vPnLab address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC_CORP_VPN 10
set security-association lifetime seconds 86400
set transform-set MYTSETNAME
match address ACL_VPN_CORP_TO_BRANCH
crypto dynamic-map DYNAMIC_CORP_VPN 20
set security-association lifetime seconds 86400
set transform-set MYTSETNAME
match address ACL_VPN_CORP_TO_HOME
!
crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP 1 ipsec-isakmp dynamic
DYNAMIC_CORP_VPN
!
interface Serial0/0
ip address 50.137.15.9 255.255.255.0
serial restart-delay 0
crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 50.137.15.1
!
ip nat inside source list 100 interface Serial0/0 overload
!
ip access-list extended ACL_VPN_CORP_TO_BRANCH
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
remark Allow IP traffic over the CORP_TO_BRANCH VPN
ip access-list extended ACL_VPN_CORP_TO_HOME
permit ip 192.168.0.0 0.0.0.255 10.0.20.0 0.0.0.255
remark Allow IP traffic over the CORP_TO_HOME VPN
access-list 100 remark Block NAT Service to VPN
access-list 100 deny
ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
Internet Router!
hostname Internet
!
ip dhcp pool ISP-1
network 209.87.55.0 255.255.255.0
dns-server 4.2.2.2
!
ip dhcp pool ISP-2
network 74.29.129.0 255.255.255.0
dns-server 4.2.2.2
!
interface Serial0/0
ip address 50.137.15.1 255.255.255.0
serial restart-delay 0
clock rate 128000
!
interface Serial0/1
ip address 209.87.55.1 255.255.255.0
serial restart-delay 0
clock rate 128000
!
interface Serial0/2
ip address 74.29.129.1 255.255.255.0
serial restart-delay 0
clock rate 128000
!
Branch Router !
hostname Branch
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key K3y4vPnLab address 50.137.15.9
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac
!
crypto map BRANCH_TO_CORP_VPN 10 ipsec-isakmp
set peer 50.137.15.9
set transform-set MYTSETNAME
match address ACL_VPN_BRANCH_TO_CORP
!
interface Serial0/0
ip address slarp retry 20
serial restart-delay 0
crypto map BRANCH_TO_CORP_VPN
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 209.87.55.1
!
ip nat inside source list 100 interface Serial0/0 overload
!
ip access-list extended ACL_VPN_BRANCH_TO_CORP
remark Allow IP traffic over the BRANCH_TO_CORP VPN
permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 remark Block NAT Service to VPN
access-list 100 deny
ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
!
Home Router !
hostname Home
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key K3y4vPnLab address 50.137.15.9
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac
!
crypto map HOME_TO_CORP_VPN 10 ipsec-isakmp
set peer 50.137.15.9
set transform-set MYTSETNAME
match address ACL_VPN_HOME_TO_CORP
!
interface Serial0/0
ip address slarp retry 20
serial restart-delay 0
crypto map HOME_TO_CORP_VPN
!
interface FastEthernet1/0
ip address 10.0.20.1 255.255.255.0
duplex auto
speed auto
!