Site-to-Site IPSEC VPN


Scenario:

Your network colleagues were very enthusiastic when you showed them that a GRE tunnel makes it possible to tunnel routing protocols across VPN connections, and after configuring the previous “GRE Tunnel Basic” lab (see our lab section) your colleagues now ask you to configure a basic IPSEC Site-to-Site VPN so they can configure encrypted GRE tunnels later.

Goal:

  • All IP addresses have been preconfigured as specified in the topology picture.
  • Router Godzilla and Nessie have a loopback interface:
    Godzilla: Loopback0: 1.1.1.1 /24
    Nessie: Loopback0: 3.3.3.3 /24
  • Configure OSPF on all 3 routers and advertise the following networks:
    192.168.12.0 /24
    192.168.23.0 /24
    1.1.1.0 /24
    3.3.3.0 /24
  • Ensure that Godzilla and Nessie can ping each other.
  • Ensure you can ping 3.3.3.3 from Godzilla, sourced from it’s Loopback0 interface.
  • We are going to configure an IPSEC connection between Router Godzilla and Nessie.
  • Create a ISAKMP policy:
    Authentication: pre-shared-key
    Encryption: AES 256
    Hashing: SHA
    DH: Group 5
    Lifetime: 3600
  • Configure the pre-shared-key “VAULT” which you will use for the IPSEC connection.
  • Configure the IPSEC transform-set:
    Cipher: AES 256
    ESP (Encapsulating Security Protcol)
    Hashing: SHA
  • Change the IPSEC security association lifetime to 1800 seconds.
  • You need to encrypt traffic from Router Godzilla’s Loopback0 interface destined to Nessie’s Loopback0 interface, create the correct access-list.
  • Ensure you have a correct access-list on both Routers.
  • Create the correct crypto-map to finish the IPSEC configuration.
  • Verify the IPSEC configuration, you can use the following show/debug commands:
    show crypto ipsec transform-set
    show crypto map
    show crypto ipsec sa
    debug crypto isakmp
  • Try a ping from Router Godzilla’s Loopback0 interface destined to Router Nessie’s Loopback0 interface, if your configuration is correct then traffic should be encrypted.

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

GRE Tunnel Basic

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

25 Comments

  1. I finished configuring the routers but am still not able to see the anything when i do a “show crypto isakmp sa”

  2. i just finished this lab today. I’d like to say thanks to Rene. this is what I came up with.
    i assume the configuration of ospf shouldn’t be a problem, as that is not the main concern of this lab, so I won’t include it here. partial config of Godzilla.

    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 5
    lifetime 3600
    crypto isakmp key VAULT address 192.168.23.3
    !
    crypto ipsec security-association lifetime seconds 1800
    !
    crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
    !
    crypto map CMAP 1 ipsec-isakmp
    set peer 192.168.23.3
    set transform-set VPN
    match address 101
    !
    interface FastEthernet0/0
    ip address 192.168.12.1 255.255.255.0
    duplex auto
    speed auto
    crypto map CMAP
    !
    access-list 101 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

    Nessie config is similar to Godzilla.

    also, check the access list using the “sho ip access-list” to see how many matches.

    I guess the desired state should be QM_IDLE on “sho cry isa sa”. and that is what I got as follows:

    Godzilla#sho cry isa sa
    dst src state conn-id slot status
    192.168.12.1 192.168.23.3 QM_IDLE 1 0 ACTIVE

    make sure it is not MM_NO_STATE or make sure it’s not empty (no entry).

    another good command to check the tunnel is the “sho cry sess” as follows:
    Godzilla#sho cry sess
    Crypto session current status

    Interface: FastEthernet0/0
    Session status: UP-ACTIVE
    Peer: 192.168.23.3 port 500
    IKE SA: local 192.168.12.1/500 remote 192.168.23.3/500 Active
    IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 3.3.3.0/255.255.255.0
    Active SAs: 2, origin: crypto map

    I also notice that “ping 3.3.3.3 sourc lo0” is required from Godzilla to initiate the tunnel to bring it to QM_IDLE state. I’m not sure if that is the intention of the author.

    cheers.

  3. Current configuration : 1161 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Godzilla
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    !
    !
    ip cef
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 5
    lifetime 3600
    crypto isakmp key VAULT address 192.168.23.3
    !
    crypto ipsec security-association lifetime seconds 1800
    !
    crypto ipsec transform-set IPSEC ah-sha-hmac esp-aes 256 esp-sha-hmac
    !
    crypto map CMAP 1 ipsec-isakmp
    set peer 192.168.23.3
    set transform-set IPSEC
    match address 111
    !
    !
    !
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    interface Loopback1
    ip address 11.11.11.11 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 192.168.12.1 255.255.255.0
    duplex auto
    speed auto
    crypto map CMAP
    !
    router ospf 1
    log-adjacency-changes
    network 1.1.1.1 0.0.0.0 area 0
    network 192.168.12.0 0.0.0.255 area 0
    !
    ip http server
    no ip http secure-server
    !
    !
    !
    access-list 111 permit ip host 1.1.1.1 host 3.3.3.3
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    !
    end

  4. im wondering Rene, in this lab wouldnt the OSPF packets be visible (unencrypted) when traversing KingKong ?

    1. Well it depends….we use an access-list to select the traffic we want to encrypt. Just keep in mind that we can’t send routing protocols through an IPSEC tunnel by default. We need to configure a GRE tunnel first and then configure IPSEC to encrypt the GRE tunnel.

  5. Why is it necessary to add the loopbacks to OSPF? I’ve worked with ASA/PIX site to site VPNs and I never have to define how to get to the subnet that traffic should be encrypted for. The only route the ASA/PIX rely on is how to get to the peer IP address.

    1. This also depends. In this example router Godzilla and Nessie need to know how to reach each other’s loopback interface so we need routing. Another option would be to create a site-to-site VPN between Godzilla/Nessie and use a default route pointing to the tunnel interface or something.

  6. Having a bit of a problem, with this config. Whenever it loads it runs into set-up mode. Config reg – 0x2142 tried changing to 0x2102 and reload but still wont work.

    Any ideas?

  7. crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 5
    lifetime 3600
    crypto isakmp key VAULT address 192.168.12.1 255.255.255.0 no-xauth
    !
    crypto ipsec security-association lifetime seconds 1800
    !
    crypto ipsec transform-set TRANS_SET esp-aes 256 esp-sha-hmac
    !
    ip access-list extended INT-TRAFFIC
    permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
    !
    crypto map CRYPTOMAP 10 ipsec-isakmp
    set peer 192.168.12.1
    set transform-set TRANS_SET
    match address INT-TRAFFIC
    !
    interface FastEthernet0/0
    crypto map CRYPTOMAP

  8. It work after configure command [b]half-duplex[/b] on all interfaces. Is this normal?

  9. Hello,

    I have a question in regards to the crypto map configuration. I noticed in your solution the pfs group5 command is used. Is this a best practice configuration or is it a required option? From what I have been able to read, this provides another hashing each time a new security association occurs. Doesn’t this happen when the lifetimes of the isakmp policies and crypto map expires?

    I,m a little new to this so forgive me if the question is trivial.

    Tedd

  10. Although that I logged in web site, still I face "You need to register to be able to download the GNS3 Topology File. (Registration is Free!)"
    Why is that?
    I am 100 percent sure that I am logged in

  11. This might sound weird. in my gns3 i’m running
    C3640-s-mz_120-7_t
    somehow i cant run the crypto command. is this because of the platform?

  12. final configuration files dont have full configuration. can anyone provide me the final s2s final configuration ?

  13. Hey Renee hope all is well my friend. I am unable to see the network diagram or the startup configs. I know you are a busy man but i was wondering if there was any chance you could update this for us. Thanks a lot for everything you do! I really appreciate it.

Comments are closed.