Seattle, WA -- (SBWIRE) -- 10/11/2012 -- A site-to-site virtual private network (VPN) allows you to maintain a secure “always-on” connection between two physically separate sites using an existing non-secure network such as the public Internet. Traffic between the two sites is transmitted over an encrypted tunnel to prevent snooping or other types of data attacks.
This guide is based on chapter twelve in the book The Accidental Administrator®: Cisco Router Step-by-Step Configuration Guide, available in paperback and on Kindle. A companion video is available at http://youtu.be/rUns1Jbve0w
There are several protocols used in creating the VPN including protocols used for a key exchange between the peers, those used to encrypt the tunnel, and hashing technologies which produce message digests. In this guide, you will use ISAKMP (Internet Security Association Key Management Protocol) for the key exchange, IPSEC (Internet Protocol Security) with AES (Advanced Encryption Standard) to secure the tunnel, and SHA (Secure Hash Algorithm).
In order to use the following commands, you must have a security feature set associated with your router’s license. This document was written with two Cisco 871 routers running c870-advipservicesk9-mz.124-15.T6.bin. Use the show version command to determine whether your router has the security feature set installed.
Configuring a Site-to-Site VPN
The process of configuring a site-to-site VPN involves several steps.
1. Phase One—The key exchange
2. Phase Two—Encrypting the tunnel
3. Applying the crypto map to the outside interface
4. Creating an access list to identify the traffic flow
Phase One configuration involves configuring the key exchange. This process uses ISAKMP (Internet Security Association Key Management Protocol) to identify the hashing algorithm and authentication method. It is also one of two places where you must identify the peer at the opposite end of the tunnel.
Referring to the network diagram included with this guide, this is the phase one configuration on router01:
router01(config)#crypto isakmp policy 10
router01(config-isakmp)#crypto isakmp key vpnkey address 192.168.1.12
In the above configuration, crypto isakmp policy 10 invokes cryptographic services using ISAKMP. Policy 10 sets the policy for the ISAKMP protection suite and prioritizes the policy. Hash sha configures Secure Hash Algorithm as the hashing algorithm. Authentication pre-share tells the router to use a shared password for authentication, which is configured in the next line. Keby vpnkey tells the router to use vpnkey as the password, which must match the key on the remote router. Address 192.168.1.12 identifies the remote router’s outside address.
Phase Two configuration involves configuring the encrypted tunnel. In Phase Two configuration, you create and name a transform set which identifies the encrypting protocols used to create the secure tunnel. You must also create a crypto map in which you identify the peer at the opposite end of the tunnel, specify the transform-set to be used, and specify which access control list will identify permitted traffic flows.
Referring to the network diagram included with this guide, this is the phase two and crypto map configuration on router01:
router01(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
router01(cfg-crypto-trans)#crypto map vpnset 10 ipsec-isakmp
router01(config-crypto-map)#set peer 192.168.1.12
router01(config-crypto-map)#set transform-set vpnset
router01(config-crypto-map)#match address 100
In the above configuration, crypto ipsec transform-set vpnset esp-aes esp-sha-hmac invokes cryptographic services using IPSEC. It creates a transform-set, a grouping of configuration parameters, called vpnset. This transform set will use ESP (Encapsulating Security Payload) with AES (Advanced Encryption Standard) and SHA.
The crypto map must be applied to the outside interface of each router.
Referring to the network diagram and assuming that router01 is a Cisco 871 router, these are the commands to apply the crypto map:
router01(config-if)#crypto map vpnset
You must also create an access-list to identify and permit traffic to flow through the tunnel from the inside network on the local router to the inside network on the remote router.
Still referring to the network diagram, this is the access-list configuration for router01:
router01(config)#access-list permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
Finally, you must configure a default route. Here is the default route configuration for a fictional default route (an actual default route can be used, if one exists):
router01(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
The same settings must be configured on router02, except that the IP addresses must be reversed. In other words, router02's peer is 192.168.1.11 and the source/destination addresses in the access-list must be reversed.
You can use the following commands when troubleshooting VPN connections:
- Dhow crypto isakmp sa, which displays the current ISAKMP security associations. You must have an ISAKMP security association before you can have an IPSEC security association.
- Show crypto ipsec sa, which displays the current IPSEC security associations.
- Debug crypto isakmp, which allows you to observe phase one ISAKMP negotiations
- Debug crypto ipsec, which allows you to observe phase two IPSEC negotiations
Things to watch for when troubleshooting a site-to-site VPN include:
- Do the usual physical layer stuff making sure that everything is plugged in and turned on
- Audit your configurations for typos
- Make sure the settings on each end of the VPN mirror the other (except, obviously, for IP addresses). This is probably the second most common problem I see with VPN configs after typos.
Much of the documentation you read about configuring VPNs makes the process seem almost overwhelming. When you break it down to the basic steps, however, you can see that it’s not that difficult. One of the advantages of this type of VPN is that you can pick and choose the various encryption and hashing technologies to use with your VPN.
Excerpted from The Accidental Administrator®: Cisco Router Step-by-Step Configuration Guide by Don R. Crawley Paperback: 358 pages ISBN-13: 978-0983660729 Kindle: ASIN: B009MT1VS0
About the Author: Don R. Crawley
Don R. Crawley is author of The Accidental Administrator® series of books for IT professionals including The Accidental Administrator®: Cisco Router Step-by-Step Configuration Guide and President of soundtraining.net, a Seattle, Washington-based IT training firm. He is a veteran IT guy with over 35 years’ experience in technology for the workplace. He holds multiple certifications on Microsoft, Cisco, and Linux products.
Don can be reached at: