0
How to configure a IPSEC Site to Site VPN (Virtual Private Network) in Cisco routers using GNS3 with simple seven steps

Step 1:Create topology like this






Step 2:Configure routers and host with ip address like i have given in topology


In Router HO global config mode,

HO(config)#interface fastethernet 2/0
HO(config-if)#ip address 192.168.1.1 255.255.255.0
HO(config-if)#no shutdown
HO(config-if)#exit

HO(config)#interface serial 1/0
HO(config-if)#ip address 20.0.0.1 255.0.0.0
HO(config-if)#clock rate 64000
HO(config-if)#encapsulation ppp
HO(config-if)#no shutdown
HO(config-if)#exit


In Router ISP1 global config mode,

ISP1(config)#interface serial1/0
ISP1(config-if)#ip address 20.0.0.2 255.0.0.0
ISP1(config-if)#encapsulation ppp
ISP1(config-if)#clock rate 64000
ISP1(config-if)#no shutdown
ISP1(config-if)#exit

ISP1(config)#interface serial1/1
ISP1(config-if)#ip address 30.0.0.1 255.0.0.0
ISP1(config-if)#encapsulation ppp
ISP1(config-if)#clock rate 64000
ISP1(config-if)#no shutdown
ISP1(config-if)#exit


In Router ISP2 global config mode,

ISP2(config)#interface serial 1/0
ISP2(config-if)#ip address 30.0.0.2 255.0.0.0
ISP2(config-if)#encapsulation ppp
ISP2(config-if)#clock rate 64000
ISP2(config-if)#no shutdown
ISP2(config-if)#exit

ISP2(config)#interface serial 1/1
ISP2(config-if)#ip address 40.0.0.1 255.0.0.0
ISP2(config-if)#encapsulation ppp
ISP2(config-if)#clock rate 64000
ISP2(config-if)#no shutdown
ISP2(config-if)#exit


In Router BO global config mode,

BO(config)#interface fastethernet2/0
BO(config-if)#ip address 192.168.2.1 255.255.255.0
BO(config-if)#no shutdown
BO(config-if)#exit

BO(config)#interface serial1/0
BO(config-if)#ip address 40.0.0.2 255.0.0.0
BO(config-if)#clock rate 64000
BO(config-if)#encapsulation ppp
BO(config-if)#no shutdown
BO(config-if)#exit

Qemu1

tc@box:~$
tc@box:~$ sudo su
root@box:~#ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up
root@box:~#route add ip default gw 192.168.1.1
root@box:~#route add default gw 192.168.1.1

Qemu2

tc@box:~$
tc@box:~$ sudo su
root@box:~#ifconfig eth0 192.168.2.10 netmask 255.255.255 up
root@box:~#route add ip default gw 192.168.2.1
root@box:~#route add default gw 192.168.2.1



Step 3:Configure ISP1 and ISP2 routers with any routing protocols.I am going to use RIP.

ISP1(config)#router rip
ISP1(config-router)#network 20.0.0.0
ISP1(config-router)#network 30.0.0.0
ISP1(config-router)#exit

ISP2(config)#router rip
ISP2(config-router)#network 30.0.0.0
ISP2(config-router)#network 40.0.0.0
ISP2(config-router)#exit

This will isolate the ISP1 and ISP2 from HO and BO Routers, So it will work like a real time Site to site network topology.In real time ISP can use any routing protocol.


Step 4:Configure the HO and BO routers with VPN Configurations

In Router HO global config mode,

HO(config)#crypto isakmp enable
HO(config)#crypto isakmp policy 10
HO(config-isakmp)#authentication pre-share
HO(config-isakmp)#hash md5
HO(config-isakmp)#encryption des
HO(config-isakmp)#group 2
HO(config-isakmp)#lifetime 3600
HO(config-isakmp)#exit


HO(config)#crypto isakmp key security address 40.0.0.2 255.0.0.0
HO(config)#crypto ipsec transform-set hoset esp-des esp-md5-hmac
HO(cfg-crypto-trans)#exit


HO(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255


HO(config)#crypto map homap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
HO(config-crypto-map)#set peer 40.0.0.2
HO(config-crypto-map)#set transform-set hoset
HO(config-crypto-map)#match address 101
HO(config-crypto-map)#exit


HO(config)#interface serial 1/0
HO(config-if)#crypto map homap
HO(config-if)#exit


In Router BO global config mode,


BO(config)#crypto isakmp enable
BO(config)#crypto isakmp policy 10
BO(config-isakmp)#authentication pre-share
BO(config-isakmp)#hash md5
BO(config-isakmp)#encryption des
BO(config-isakmp)#group 2
BO(config-isakmp)#lifetime 3600
BO(config-isakmp)#exit


BO(config)#crypto isakmp key security address 20.0.0.1 255.0.0.0
BO(config)#crypto ipsec transform-set boset esp-des esp-md5-hmac
BO(cfg-crypto-trans)#exit


BO(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255


BO(config)#crypto map bomap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
BO(config-crypto-map)#set peer 20.0.0.1
BO(config-crypto-map)#set transform-set boset
BO(config-crypto-map)#match address 101
BO(config-crypto-map)#exit


BO(config)#interface serial 1/0
BO(config-if)#crypto map bomap
BO(config-if)#exit
BO(config)#


Step 5:Configure the default static route in HO and BO to forward all packets to the Internet Service Provider Router.Peer address for HO router is 40.0.0.2 it is a public ip address when packet forwarded to 20.0.0.2 from HO router it is ISP responsible to take packet to 40.0.0.2 same for the BO router.


HO(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2

BO(config)#ip route 0.0.0.0 0.0.0.0 40.0.0.1


Step 6:Now give debug command to HO and BO router in privileged mode to see VPN process.


In priveleged mode on HO and BO Routers

HO#debug crypto ipsec
Crypto IPSEC debugging is on

HO#debug crypto isakmp
Crypto ISAKMP debugging is on


BO#debug crypto ipsec
Crypto IPSEC debugging is on

BO#debug crypto isakmp
Crypto ISAKMP debugging is on


Step 7:Now go to host in 192.168.1.0/24 network and ping ip address 192.168.2.10 in 192.168.2.0/24 Network, then go to router HO and BO to see what is happening while you ping.


Ping 192.168.2.10







Trouble Shooting Commands:



HO#show crypto isakmp ?
  key      Show ISAKMP preshared keys
  policy   Show ISAKMP protection suite policy
  profile  Show ISAKMP profiles
  sa       Show ISAKMP Security Associations

HO#show crypto isakmp key
HO#show crypto isakmp policy
HO#show crypto isakmp profile
HO#show crypto isakmp sa

HO#show crypto ipsec ?
  profile               Show ipsec profile information
  sa                    IPSEC SA table
  security-association  Show parameters for IPSec security associations
  transform-set         Crypto transform sets

HO#show crypto ?
  ca           Show certification authority policy
  dynamic-map  Crypto map templates
  engine       Show crypto engine info
  identity     Show crypto identity list
  ipsec        Show IPSEC policy
  isakmp       Show ISAKMP Security Associations
  key          Show long term public keys
  map          Crypto maps
  mib          Show Crypto-related MIB Parameters
  optional     Optional Encryption Status
  sockets      Secure Socket Information

HO#debug crypto ?
  ber      decode ASN.1 BER data
  engine   Crypto Engine Debug
  ipsec    IPSEC processing
  isakmp   ISAKMP Key Management
  mib      IPSEC Management Transactions
  pki      PKI Client
  socket   Crypto Secure Socket Debug
  verbose  verbose decode


Post a Comment

 
Top