Experience the power of Site-to-Site VPN, a capability that empowers two routers to seamlessly exchange traffic over the internet through a secure tunnel. Ideal for connecting multiple branches to a central office via the internet, Site-to-Site VPN leverages various protocols for data encryption and protection:
- IPSec (Internet Protocol Security): A suite of protocols dedicated to securing transmissions over IP. IPSec, the cornerstone of this suite, ensures high-security data exchange within VPN communications, encrypting information until it reaches the tunnel endpoint.
- ISAKMP (IKE – Internet Security Association and Key Management Protocol): Used for identity verification and key exchange, IKE employs Public Key or Pre-shared Key methods to authenticate and secure communications.
- MD5 and SHA: Encryption methods for data security, with MD5 providing lower security and SHA (Secure Hash Algorithm) designed by the NSA, offering robust hashing capabilities.
- ESP (Encapsulating Security Payload): Part of the IPSec protocol suite, ESP adds a header and trailer to IP packets, guaranteeing that the data between them is encrypted. It ensures authenticity, integrity, and confidentiality.
- DES, 3DES, and AES: Encryption standards with varying key lengths, where AES, the Advanced Encryption Standard, stands out for its efficiency and superior processing speed compared to DES and 3DES.
Configuring Site-to-Site VPN involves a 5-step process:
- Traffic Identification: Determine the traffic requiring secure transmission via Site-to-Site VPN.
- IKE Phase 1: Mutual identification, authentication, and initial negotiations between the routers on both ends to establish the Site-to-Site VPN.
- IKE Phase 2: Negotiation to define security parameters for data protection in VPN Site routers.
- Secure Data Transfer: High-security data transfer utilizing IPSec capabilities between the two routers in the Site-to-Site VPN.
- Connection Completion: Finalization of the Site-to-Site VPN connection.
Additionally, to set up IKE policy on the tunnel routers:
- Activate IKE on Both Routers:
Ensure that IKE is enabled on both routers using the command:
Router(config)#crypto isakmp enableThis comprehensive guide empowers you to configure Site-to-Site VPN on Cisco routers, securing your network with robust encryption and seamless connectivity.
Establishing a Site-to-Site VPN connection between Cisco routers involves a meticulous configuration process. Here’s a comprehensive guide to configuring Phase 1, IKE Policy, authentication, encryption, hashing algorithms, and more:
IKE Policy on the Other Router:
To configure the first phase, Configure a series of items as follows:
- IKE Policy with a number that is used to prioritize policies.
- Specify authentication type
- Determining encryption protocol and key length
- Hashing algorithm
- Diffie-Hellman group key
- Set the policy’s validity duration.
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption aes 256
Router(config-isakmp)#hash sha
Router(config-isakmp)#group 5
Router(config-isakmp)#lifetime 3600
Router(config-isakmp)#endIKE Policy on the Other Router:
Repeat the above steps for the other router in the tunnel, ensuring consistency in IKE Policy settings.
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#encryption aes 256
Router2(config-isakmp)#hash sha
Router2(config-isakmp)#group 5
Router2(config-isakmp)#lifetime 3600
Router2(config-isakmp)#endNote: The IKE Policy defined on the routers in both directions of the tunnel must be the same.
Router#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limitIn the previous step, in the configuration of IKE Policy, the Pre-share Key method was determined for authentication, and now, in this step, the keys related to authentication must be configured on two routers on both sides of the tunnel, and these keys must match on both sides.
Key Configuration for Authentication:
Assign pre-shared keys for authentication. Ensure these keys match on both ends of the tunnel.
In this command, a key named amir123 is created on the router and we also specify the IP address of the router at the end of the tunnel.
Router(config)#crypto isakmp key amir123 address 10.1.2.2Router2(config)#crypto isakmp key amir123 address 10.1.1.1IPSec Transform Set Configuration:
Configure IPSec Transform Set for IKE Phase 2, specifying security parameters such as encryption algorithm, integrity algorithm, and key length.
Router(config)#crypto ipsec transform-set myTransform esp-aes 256 esp-sha-hmac
Router(cfg-crypto-trans)#exitThis command creates a Transform named myTransform on the router and determines the security parameters of AES and ESP with a key length of 256 for encryption, as well as the capability of ESP with SHA for authentication in the Transform set.
Router2(config)#crypto ipsec transform-set myTransform esp-aes 256 esp-sha-hmac
Router2(cfg-crypto-trans)#exitNote: Transform sets on both routers must match.
Traffic Identification via Access List
Identify the specific traffic to pass through the Site-to-Site VPN tunnel using an access list:
the command syntax
Router(config)#access list 101 permit ip [SourceNetworkAddress] 0.0.0.255 [DestinationNetworkAddress] 0.0.0.255
Router(config)#access list 101 permit ip [SourceNetworkAddress] 0.0.0.255 [DestinationNetworkAddress] 0.0.0.255Router2(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255Crypto Map Configuration:
In fact, Crypto Map will cause the IKE Policy and IPSec Settings defined in the Transform set to be applied to the traffic defined in the Access List.
A Crypto Map is defined with a name and a number to prioritize between Crypto Maps:
Router(config-crypto-map)#match address [Access-List-Number]
This command defines the Access List defined to determine the desired traffic to pass through the tunnel in Crypto-map mode.
Router(config-crypto-map)#set peer [Destination-Router-IPAddress]
In this command, we introduce the address of the opposite router at the end of the tunnel.
Router(config-crypto-map)#set transform-set myTransform
This command defines the transform set defined in the previous steps in the Crypto map, which is myTransform here
Router(config)#crypto map Tunnel-Sentral-to-Site 10 ipsec-isakmp
Router(config-crypto-map)#match address 101
Router(config-crypto-map)#set peer 10.1.2.2
Router(config-crypto-map)#set transform-set myTransform
Router2(config)#crypto map Tunnel-Site-to-Sentral 10 ipsec-isakmp
Router2(config-crypto-map)#match address 101
Router2(config-crypto-map)#set peer 10.1.1.1
Router2(config-crypto-map)#set transform-set myTransformApplying Crypto Map to Interfaces:
Apply the Crypto Map to the interfaces of both routers.
In the last stage of Site-to-Site VPN configuration, we must apply the defined Crypto map on the interface of the routers on both sides of the tunnel, in this case, a Crypto map can be applied on one or more interfaces.
Router(config)#interface serial 1/0
Router(config-if)#crypto map Tunnel-Sentral-to-Site
*Nov 12 20:50:18.346: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONRouter(config)#interface serial 1/0
Router(config-if)#crypto map Tunnel-Sentral-to-Site
*Nov 12 20:53:26.514: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONNote: A Crypto Map can be applied to one or more interfaces.
Verify Crypto Map Configuration:
Ensure proper configuration by checking the Crypto Map settings.
Router#show crypto map
Crypto Map "Tunnel-to-Sentral-Site" 10 ipsec-isakmp
Peer = 10.1.2.2
Extended IP access list 101
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myTransform,
}
Interfaces using crypto map Tunnel-to-Sentral-Site:
Serial1/0Verify VPN Establishment:
Confirm the establishment of the Site-to-Site VPN connection.
Router#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: Tunnel-to-Sentral-Site, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 10.1.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.2.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)This step-by-step guide empowers you to configure a robust Site-to-Site VPN connection, ensuring secure communication between Cisco routers.