VPN stands for Virtual Private Network, used to create an encrypted connection between private networks over a public network such as the internet. The basic form of IPsec VPN is to connect two different points using any shared network.
Basic steps for IPsec VPN Configuration:
1- First define the ISAKMP Policy.
For example:
-
Authentication
- Hash
- Encryption
- Group
2- Establish IPsec transform set.
For example:
-
Esp-des
- Esp-md5-hmac
- Esp-aes
- Asp-sha-hmac
3- Configure crypto access list.
For example:
-
Define interesting traffics
4- Configure crypto map
Used to verify the previously defined parameters.
5- Now apply crypto map on the interface.
Used to verify the outgoing interface traffic.
Configuration on Router A
-
In global configuration mode
Router-A(config)#interface serial 1/0
(Configure serial interface on Router A)
Router-A(config-if)#ip address 20.1.1.10 255.0.0.0
(Assign IP address to serial interface on Router A)
Router-A(config-if)#exit
(Exit from Interface 1/0)
-
First defined the IKE polices on router A
Router-A(config)#crypto isakmp policy 10
(10 is isakmp policy number)
Router-A(config-isakmp)#encryption des
(enable encryption des)
Router-A(config-isakmp)#hash md5
(enable algorithm md5 for hashing)
Router-A(config-isakmp)#authentication pre-share
(enable Pre-shared method)
Router-A(config-isakmp)#group 2
(enable diffie-Helman group 2)
Router-A(config-isakmp)#exit
(Exit from crypto isakmp mode)
-
The next step is to create a pre-shared key (password) on router A.
Router-A(config)#crypto isakmp key office address 20.1.1.20
(Here Key is "office" and 20.1.1.20 is router B Address)
-
Now create an access list to define only interesting traffic.
Router-A(config)#access-list 100 permit ip host 20.1.1.10 host 20.1.1.20
(100 is access list number and 20.1.1.10 is source address and 20.1.1.20 is destination address.)
-
Now create the transform-set for encryption and hashing.
Router-A(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
(here encryption type is des and hashing technique is md5-hmac)
Router-A(config)#crypto map imap 10 ipsec-isakmp
(crypto map name imap)
Router-A(cfg-ctypto-map)# match address 100
(apply the access list)
Router-A(cfg-ctypto-map)# set transform-set ts2
(apply the transform set)
Router-A(cfg-ctypto-map)# set peer 20.1.1.20
(Set remote peer address)
Router-A(cfg-ctypto-map)# exit
(Exit from crypto map mode)
-
Now apply the crypto map to the router A interface
Router-A(config)#interface serial 1/0
Router-A(config-if)#crypto map imap
(Apply crypto map on interface)
Router-A(config-if)#exit
(Exit from interface)
Configuration on Router B
-
In global configuration mode
Router-B(config)#interface serial 1/0
(Configure serial interface on Router B)
Router-B(config-if)#ip address 20.1.1.20 255.0.0.0
(Assign IP address to serial interface on Router B)
Router-B(config-if)#exit
(Exit from Interface 1/0)
-
First defined the IKE polices on router B
Router-B(config)#crypto isakmp policy 10
(10 is isakmp policy number)
Router-B(config-isakmp)#encryption des
(enable encryption des)
Router-B(config-isakmp)#hash md5
(enable algorithm md5 for hashing)
Router-B(config-isakmp)#authentication pre-share
(enable Pre- shared method)
Router-B(config-isakmp)#group 2
(enable diffie-Helman group 2)
Router-B(config-isakmp)#exit
(Exit from crypto isakmp mode)
-
The next step is to create a pre-shared key (password) on router B.
Router-B(config)#crypto isakmp key office address 20.1.1.10
(Here Key is "office" and 20.1.1.10 is router A Address).
-
Now create an access list to define only interesting traffic.
Router-B(config)#access-list 100 permit ip host 20.1.1.20 host 20.1.1.10
(100 is access list number and 20.1.1.20 is source address and 20.1.1.10 is destination address.)
-
Now create the transform-set for encryption and hashing.
Router-B(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
(here encryption type is des and hashing technique is md5-hmac)
Router-B(config)#crypto map imap 10 ipsec-isakmp
(crypto map name imap)
Router-B(cfg-ctypto-map)# match address 100
(apply the access list)
Router-B(cfg-ctypto-map)# set transform-set ts2
(apply the transform set)
Router-B(cfg-ctypto-map)# set peer 20.1.1.10
(Set remote peer address)
Router-B(cfg-ctypto-map)# exit
(Exit from crypto map mode)
-
Now apply the crypto map to the router B interface
Router-B(config)#interface serial 1/0
Router-B(config-if)#crypto map imap
(Apply crypto map on interface)
Router-B(config-if)#exit
(Exit from interface)
No comments:
Post a Comment