Pages

Today's Tech Blog!

Monday, February 4, 2008

How to configure Site-to-Site IPsec VPN?

Share

VPN stands for Virtual Private Network, used to create an encrypted connection between private networks over a public network such as the internet. The basic form of IPsec VPN is to connect two different points using any shared network.

Basic steps for IPsec VPN Configuration:

1- First define the ISAKMP Policy.

For example:

  • Authentication

  • Hash
  • Encryption
  • Group

2- Establish IPsec transform set.

For example:

  • Esp-des

  • Esp-md5-hmac
  • Esp-aes
  • Asp-sha-hmac

3- Configure crypto access list.

For example:

  • Define interesting traffics

4- Configure crypto map

Used to verify the previously defined parameters.

5- Now apply crypto map on the interface.

Used to verify the outgoing interface traffic.

Configuration on Router A

  • In global configuration mode

Router-A(config)#interface serial 1/0

(Configure serial interface on Router A)

Router-A(config-if)#ip address 20.1.1.10 255.0.0.0

(Assign IP address to serial interface on Router A)

Router-A(config-if)#exit

(Exit from Interface 1/0)

  • First defined the IKE polices on router A

Router-A(config)#crypto isakmp policy 10

(10 is isakmp policy number)

Router-A(config-isakmp)#encryption des

(enable encryption des)

Router-A(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

Router-A(config-isakmp)#authentication pre-share

(enable Pre-shared method)

Router-A(config-isakmp)#group 2

(enable diffie-Helman group 2)

Router-A(config-isakmp)#exit

(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on router A.

Router-A(config)#crypto isakmp key office address 20.1.1.20

(Here Key is "office" and 20.1.1.20 is router B Address)

  • Now create an access list to define only interesting traffic.

Router-A(config)#access-list 100 permit ip host 20.1.1.10 host 20.1.1.20

(100 is access list number and 20.1.1.10 is source address and 20.1.1.20 is destination address.)

  • Now create the transform-set for encryption and hashing.

Router-A(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(here encryption type is des and hashing technique is md5-hmac)

Router-A(config)#crypto map imap 10 ipsec-isakmp

(crypto map name imap)

Router-A(cfg-ctypto-map)# match address 100

(apply the access list)

Router-A(cfg-ctypto-map)# set transform-set ts2

(apply the transform set)

Router-A(cfg-ctypto-map)# set peer 20.1.1.20

(Set remote peer address)

Router-A(cfg-ctypto-map)# exit

(Exit from crypto map mode)

  • Now apply the crypto map to the router A interface

Router-A(config)#interface serial 1/0

Router-A(config-if)#crypto map imap

(Apply crypto map on interface)

Router-A(config-if)#exit

(Exit from interface)

Configuration on Router B

  • In global configuration mode

Router-B(config)#interface serial 1/0

(Configure serial interface on Router B)

Router-B(config-if)#ip address 20.1.1.20 255.0.0.0

(Assign IP address to serial interface on Router B)

Router-B(config-if)#exit

(Exit from Interface 1/0)

  • First defined the IKE polices on router B

Router-B(config)#crypto isakmp policy 10

(10 is isakmp policy number)

Router-B(config-isakmp)#encryption des

(enable encryption des)

Router-B(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

Router-B(config-isakmp)#authentication pre-share

(enable Pre- shared method)

Router-B(config-isakmp)#group 2

(enable diffie-Helman group 2)

Router-B(config-isakmp)#exit

(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on router B.

Router-B(config)#crypto isakmp key office address 20.1.1.10

(Here Key is "office" and 20.1.1.10 is router A Address).

  • Now create an access list to define only interesting traffic.

Router-B(config)#access-list 100 permit ip host 20.1.1.20 host 20.1.1.10

(100 is access list number and 20.1.1.20 is source address and 20.1.1.10 is destination address.)

  • Now create the transform-set for encryption and hashing.

Router-B(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(here encryption type is des and hashing technique is md5-hmac)

Router-B(config)#crypto map imap 10 ipsec-isakmp

(crypto map name imap)

Router-B(cfg-ctypto-map)# match address 100

(apply the access list)

Router-B(cfg-ctypto-map)# set transform-set ts2

(apply the transform set)

Router-B(cfg-ctypto-map)# set peer 20.1.1.10

(Set remote peer address)

Router-B(cfg-ctypto-map)# exit

(Exit from crypto map mode)

  • Now apply the crypto map to the router B interface

Router-B(config)#interface serial 1/0

Router-B(config-if)#crypto map imap

(Apply crypto map on interface)

Router-B(config-if)#exit

(Exit from interface)

No comments:

 
 

Blogger

Ranks

eXTReMe Tracker