Learn how to configure IPSEC site to site vpn on cisco router using cisco Packet Tracer

Posted: March 24, 2017 in CCNP
Tags: , , ,
Learn how to configure IPSEC site to site vpn on cisco router using cisco Packet Tracer.As we all know IPsec provides secure transmission of sensetive data over unprotected networks like internet.So what actually IPsec does is it acts at the network layer which means its working in network layer of TCP/IP model and protecting sensitive data and authenticate IP packets only between participating IPsec devices like cisco routers. here in this IPSEC Example lab Router0 and Router1 is is participating in IPsec peers.So in this acitivity or in this lab i will configure these two routers to support a site to site IPsec VPN for traffic flowing from their respective LANs.

ipsec configuration

Step 1:configuration on Router0
Router(config)#router rip
Router(config-router)#network 10.0.0.0
Router(config-router)#network 192.168.1.0
Router(config-router)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Router(config-router)#exit
Step 2. ISAKMP policy
In this section we will Configure and decide what parameters will be used for the IKE phase 1 tunnel

 

Router(config)#crypto isakmp policy 10
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption aes 256
Router(config-isakmp)#group 2
Router(config-isakmp)#lifetime 86400
Router(config-isakmp)#
Router(config-isakmp)#exit

 

Step 3. Transform Set
In this section we Configure and decide what parameters will eb used for the IKE phase 2 tunnel (aka the IPSEC tunnel)
Router(config)#crypto isakmp key redhat address 10.0.0.2
Router(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac

 

Step 4:ACL (Access Control List
Here in this step we will Create an ACL to define what “interesting” traffic will be sent over the VPN
Router(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Step 5. Cypto Map
Define and Configure using the previous parameters.

 

Router(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
 and a valid access list have been configured.
Router(config-crypto-map)#set peer 10.0.0.2
Router(config-crypto-map)#match address 101
Router(config-crypto-map)#set transform-set TSET
Router(config-crypto-map)#exit

 

Step 6. Apply – Apply the cypto map to an interface.

 

Router(config)#int fa0/0
Router(config-if)#crypto map CMAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#
Router(config-if)#do write
Building configuration...
[OK]
Router(config-if)#

Now repeat the above steps on Router1:

Configuration on Router1
Router(config)#router rip
Router(config-router)#network 10.0.0.0
Router(config-router)#network 192.168.2.0
Router(config-router)#

 

Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#hash sha
Router(config-isakmp)#encryption aes 256
Router(config-isakmp)#group 2
Router(config-isakmp)#lifetime 86400
Router(config-isakmp)#exit

 

Router(config)#crypto isakmp key redhat address 10.0.0.1
Router(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac


Router(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255


Router(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
 and a valid access list have been configured.
Router(config-crypto-map)#set peer 10.0.0.1
Router(config-crypto-map)#match address 101
Router(config-crypto-map)#set transform-set TSET
Router(config-crypto-map)#exit
Router(config)#int fa0/0
Router(config-if)#crypto map CMAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#do write
Building configuration...
[OK]
Router(config-if)#

 

Verification on Router0
Test and Verify IPSEC Configuration
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.0.0.2 10.0.0.1 QM_IDLE 1089 0 ACTIVE
Router# show crypto ipsec sa

interface: FastEthernet0/0
 Crypto map tag: CMAP, local addr 10.0.0.1

protected vrf: (none)
 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
 remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
 current_peer 10.0.0.2 port 500
 PERMIT, flags={origin_is_acl,}
 #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 0
 #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 0, #pkts compr. failed: 0
 #pkts not decompressed: 0, #pkts decompress failed: 0
 #send errors 0, #recv errors 0

local crypto endpt.: 10.0.0.1, remote crypto endpt.:10.0.0.2
 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
 current outbound spi: 0x34284297(875053719)

inbound esp sas:
 spi: 0x196C4D5C(426528092)
 transform: esp-aes esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 2002, flow_id: FPGA:1, crypto map: CMAP
 sa timing: remaining key lifetime (k/sec): (4525504/3535)
 IV size: 16 bytes
 replay detection support: N
 Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
 spi: 0x34284297(875053719)
 transform: esp-aes esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 2003, flow_id: FPGA:1, crypto map: CMAP
 sa timing: remaining key lifetime (k/sec): (4525504/3535)
 IV size: 16 bytes
 replay detection support: N
 Status: ACTIVE

outbound ah sas:

outbound pcp sas:
Advertisements
Comments
  1. crezzy volume says:

    May i continue the classes ser

    Like

  2. crezzy volume says:

    Sir may i continue

    On 24 Mar 2017 11:33, “Learn Linux CCNA CEH CCNP IPv6 Windows” wrote:

    > satish tiwary posted: “Learn how to configure IPSEC site to site vpn on > cisco router using cisco Packet Tracer.As we all know IPsec provides secure > transmission of sensetive data over unprotected networks like internet.So > what actually IPsec does is it acts at the network layer” >

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s