Learn how to configure IPSEC site to site vpn on cisco router using cisco Packet Tracer.As we all know IPsec provides secure transmission of sensitive data over unprotected networks like internet.So what actually IPsec does is it acts at the network layer which means its working in network layer of TCP/IP model and protecting sensitive data and authenticate IP packets only between participating IPsec devices like cisco routers. here in this IPSEC Example lab Router0 and Router1 is is participating in IPsec peers.So in this activity or in this lab i will configure these two routers to support a site to site IPsec VPN for traffic flowing from their respective LANs.

While configuring this lab I consider that everyone who is going to configure this lab must know how to assign ip address on router interfaces and if you don’t you can read my articles on  How to assign ip address on Router interfaces..

Step 1:configuration on Router0

Router(config)#router rip
Router(config-router)#network 10.0.0.0
Router(config-router)#network 192.168.1.0
Router(config-router)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Router(config-router)#exit

Step 2. ISAKMP policy
In this section we will Configure and decide what parameters will be used for the IKE phase 1 tunnel

 

Router(config)#crypto isakmp policy 10
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption aes 256
Router(config-isakmp)#group 2
Router(config-isakmp)#lifetime 86400
Router(config-isakmp)#
Router(config-isakmp)#exit

 

Step 3. Transform Set
In this section we Configure and decide what parameters will eb used for the IKE phase 2 tunnel (aka the IPSEC tunnel)

Router(config)#crypto isakmp key redhat address 10.0.0.2
Router(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac

 

Step 4:ACL (Access Control List
Here in this step we will Create an ACL to define what “interesting” traffic will be sent over the VPN

Router(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Step 5. Cypto Map
Define and Configure using the previous parameters.

 

Router(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
 and a valid access list have been configured.
Router(config-crypto-map)#set peer 10.0.0.2
Router(config-crypto-map)#match address 101
Router(config-crypto-map)#set transform-set TSET
Router(config-crypto-map)#exit

 

Step 6. Apply – Apply the cypto map to an interface.

 

Router(config)#int fa0/0
Router(config-if)#crypto map CMAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#
Router(config-if)#do write
Building configuration...
[OK]
Router(config-if)#

Now repeat the above steps on Router1:

Configuration on Router1

Router(config)#router rip
Router(config-router)#network 10.0.0.0
Router(config-router)#network 192.168.2.0
Router(config-router)#

 

Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#hash sha
Router(config-isakmp)#encryption aes 256
Router(config-isakmp)#group 2
Router(config-isakmp)#lifetime 86400
Router(config-isakmp)#exit

 

Router(config)#crypto isakmp key redhat address 10.0.0.1
Router(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac


Router(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255


Router(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
 and a valid access list have been configured.

Router(config-crypto-map)#set peer 10.0.0.1
Router(config-crypto-map)#match address 101
Router(config-crypto-map)#set transform-set TSET
Router(config-crypto-map)#exit

Router(config)#int fa0/0
Router(config-if)#crypto map CMAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#do write
Building configuration...
[OK]
Router(config-if)#

 

Verification on Router0
Test and Verify IPSEC Configuration

Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.0.0.2 10.0.0.1 QM_IDLE 1089 0 ACTIVE

Router# show crypto ipsec sa

interface: FastEthernet0/0
 Crypto map tag: CMAP, local addr 10.0.0.1

protected vrf: (none)
 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
 remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
 current_peer 10.0.0.2 port 500
 PERMIT, flags={origin_is_acl,}
 #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 0
 #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 0, #pkts compr. failed: 0
 #pkts not decompressed: 0, #pkts decompress failed: 0
 #send errors 0, #recv errors 0

local crypto endpt.: 10.0.0.1, remote crypto endpt.:10.0.0.2
 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
 current outbound spi: 0x34284297(875053719)

inbound esp sas:
 spi: 0x196C4D5C(426528092)
 transform: esp-aes esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 2002, flow_id: FPGA:1, crypto map: CMAP
 sa timing: remaining key lifetime (k/sec): (4525504/3535)
 IV size: 16 bytes
 replay detection support: N
 Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
 spi: 0x34284297(875053719)
 transform: esp-aes esp-sha-hmac ,
 in use settings ={Tunnel, }
 conn id: 2003, flow_id: FPGA:1, crypto map: CMAP
 sa timing: remaining key lifetime (k/sec): (4525504/3535)
 IV size: 16 bytes
 replay detection support: N
 Status: ACTIVE

outbound ah sas:

outbound pcp sas:








You can also Read:
How to Configure VPN on Cisco Router.