Site-to-Site IPSEC VPN

Written by Rene Molenaar on 25 June 2010. Posted in Tunneling & GRE

Scenario:

Your network colleagues were very enthusiastic when you showed them that a GRE tunnel makes it possible to tunnel routing protocols across VPN connections, and after configuring the previous "GRE Tunnel Basic" lab (see our lab section) your colleagues now ask you to configure a basic IPSEC Site-to-Site VPN so they can configure encrypted GRE tunnels later.

Goal:

All IP addresses have been preconfigured as specified in the topology picture.
Router Godzilla and Nessie have a loopback interface:
Godzilla: Loopback0: 1.1.1.1 /24
Nessie: Loopback0: 3.3.3.3 /24
Configure OSPF on all 3 routers and advertise the following networks:
192.168.12.0 /24
192.168.23.0 /24
1.1.1.0 /24
3.3.3.0 /24
Ensure that Godzilla and Nessie can ping each other.
Ensure you can ping 3.3.3.3 from Godzilla, sourced from it's Loopback0 interface.
We are going to configure an IPSEC connection between Router Godzilla and Nessie.
Create a ISAKMP policy:
Authentication: pre-shared-key
Encryption: AES 256
Hashing: SHA
DH: Group 5
Lifetime: 3600
Configure the pre-shared-key "VAULT" which you will use for the IPSEC connection.
Configure the IPSEC transform-set:
Cipher: AES 256
ESP (Encapsulating Security Protcol)
Hashing: SHA
Change the IPSEC security association lifetime to 1800 seconds.
You need to encrypt traffic from Router Godzilla's Loopback0 interface destined to Nessie's Loopback0 interface, create the correct access-list.
Ensure you have a correct access-list on both Routers.
Create the correct crypto-map to finish the IPSEC configuration.
Verify the IPSEC configuration, you can use the following show/debug commands:
show crypto ipsec transform-set
show crypto map
show crypto ipsec sa
debug crypto isakmp
Try a ping from Router Godzilla's Loopback0 interface destined to Router Nessie's Loopback0 interface, if your configuration is correct then traffic should be encrypted.

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

Video Solution:

You need to register to be able to download the GNS3 Topology File. (Registration is Free!)

Related Articles: GRE Tunnel Basic
Encrypted GRE Tunnel
Multicast Tunneling
MPLS Basic Lab Video Solution
GRE over IPSEC

Only registered users can write comments!

Comments (6)

gandikotas
2010-11-19 19:05:26

Hey is it possible for you to send me the configs on all routers.

ReneMolenaar
2010-11-26 18:30:16

If i have the final configs i'll post them here.

gandikotas
2010-11-30 19:01:17

I finished configuring the routers but am still not able to see the anything when i do a "show crypto isakmp sa"

ReneMolenaar
2010-11-30 21:40:40

Send something through the tunnel which is supposed to be encrypted.

show crypto isakmp sa should only show you the "active" traffic.

galen_kwan
2010-12-01 13:33:42

i just finished this lab today. I'd like to say thanks to Rene. this is what I came up with.
i assume the configuration of ospf shouldn't be a problem, as that is not the main concern of this lab, so I won't include it here. partial config of Godzilla.

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key VAULT address 192.168.23.3
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map CMAP 1 ipsec-isakmp
set peer 192.168.23.3
set transform-set VPN
match address 101
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
access-list 101 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

Nessie config is similar to Godzilla.

also, check the access list using the "sho ip access-list" to see how many matches.

I guess the desired state should be QM_IDLE on "sho cry isa sa". and that is what I got as follows:

Godzilla#sho cry isa sa
dst src state conn-id slot status
192.168.12.1 192.168.23.3 QM_IDLE 1 0 ACTIVE

make sure it is not MM_NO_STATE or make sure it's not empty (no entry).

another good command to check the tunnel is the "sho cry sess" as follows:
Godzilla#sho cry sess
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.23.3 port 500
IKE SA: local 192.168.12.1/500 remote 192.168.23.3/500 Active
IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 3.3.3.0/255.255.255.0
Active SAs: 2, origin: crypto map

I also notice that "ping 3.3.3.3 sourc lo0" is required from Godzilla to initiate the tunnel to bring it to QM_IDLE state. I'm not sure if that is the intention of the author.

cheers.

Cato
2011-12-27 16:29:16

Current configuration : 1161 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Godzilla
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key VAULT address 192.168.23.3
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set IPSEC ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map CMAP 1 ipsec-isakmp
set peer 192.168.23.3
set transform-set IPSEC
match address 111
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback1
ip address 11.11.11.11 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.12.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
!
!
!
access-list 111 permit ip host 1.1.1.1 host 3.3.3.3
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

Master CCNA

Master CCNP SWITCH

Master CCNP ROUTE