Configure Simple IPSEC Site to Site VPN in Cisco Routers Using GNS3

How to configure a simple site to site VPN in cisco routers using gns3

In this post, we are going to see,
how to configure a simple site to site VPN in cisco routers using gns3.From Head office router to Branch Office router.


Step 1:Create topology like this,

Step 2:Configure ip address to routers and host like in topology

In HO Router Global config mode,

HO(config)#interface fastethernet 2/0
HO(config-if)#ip address 192.168.1.1 255.255.255.0
HO(config-if)#no shutdown
HO(config-if)#exit

HO(config)#interface serial 1/0
HO(config-if)#ip address 20.0.0.1 255.0.0.0
ISP(config-if)#clock rate 64000
HO(config-if)#encapsulation ppp
HO(config-if)#no shutdown
HO(config-if)#exit



In ISP Router Global config mode,

ISP(config)#interface serial1/0
ISP(config-if)#ip address 20.0.0.2 255.0.0.0
ISP(config-if)#encapsulation ppp
ISP(config-if)#clock rate 64000
ISP(config-if)#no shutdown
ISP(config-if)#exit

ISP(config)#interface serial 1/1
ISP(config-if)#ip address 30.0.0.1 255.0.0.0
ISP(config-if)#encapsulation ppp
ISP(config-if)#clock rate 64000
ISP(config-if)#no shutdown
ISP(config-if)#exit



In BO Router Global config mode,

BO(config)#interface serial 1/0
BO(config-if)#ip address 30.0.0.2 255.0.0.0
BO(config-if)#encapsulation ppp
BO(config-if)#clock rate 64000
BO(config-if)#no shutdown
BO(config-if)#exit

BO(config)#interface fastethernet2/0
BO(config-if)#ip address 192.168.2.1 255.255.255.0
BO(config-if)#no shutdown
BO(config-if)#exit


Qemu1

tc@box:~$
tc@box:~$ sudo su
root@box:~#ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up
root@box:~#route add ip default gw 192.168.1.1
root@box:~#route add default gw 192.168.1.1

Qemu2

tc@box:~$
tc@box:~$ sudo su
root@box:~#ifconfig eth0 192.168.2.10 netmask 255.255.255 up
root@box:~#route add ip default gw 192.168.2.1
root@box:~#route add default gw 192.168.2.1



Step 3:Configure VPN in Head Office and Branch Office Router


In Router HO global config mode,


HO(config)#crypto isakmp enable
HO(config)#crypto isakmp policy 10
HO(config-isakmp)#authentication pre-share
HO(config-isakmp)#hash md5
HO(config-isakmp)#encryption des
HO(config-isakmp)#group 2
HO(config-isakmp)#lifetime 3600
HO(config-isakmp)#exit


HO(config)#crypto isakmp key security address 30.0.0.2 255.0.0.0
HO(config)#crypto ipsec transform-set hoset esp-des esp-md5-hmac
HO(cfg-crypto-trans)#exit


HO(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255


HO(config)#crypto map homap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
HO(config-crypto-map)#set peer 30.0.0.2
HO(config-crypto-map)#set transform-set hoset
HO(config-crypto-map)#match address 101
HO(config-crypto-map)#exit


HO(config)#interface serial 1/0
HO(config-if)#crypto map homap
HO(config-if)#exit


In Router BO global config mode,

BO(config)#crypto isakmp enable
BO(config)#crypto isakmp policy 10
BO(config-isakmp)#authentication pre-share
BO(config-isakmp)#hash md5
BO(config-isakmp)#encryption des
BO(config-isakmp)#group 2
BO(config-isakmp)#lifetime 3600
BO(config-isakmp)#exit


BO(config)#crypto isakmp key security address 20.0.0.1 255.0.0.0
BO(config)#crypto ipsec transform-set boset esp-des esp-md5-hmac
BO(cfg-crypto-trans)#exit


BO(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255


BO(config)#crypto map bomap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
BO(config-crypto-map)#set peer 20.0.0.1
BO(config-crypto-map)#set transform-set boset
BO(config-crypto-map)#match address 101
BO(config-crypto-map)#exit


BO(config)#interface serial 1/0
BO(config-if)#crypto map bomap
BO(config-if)#exit
BO(config)#



Step 4:Configure default static route on both HO and BO router to forward all packets to ISP router.

In global config mode,

HO(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2

BO(config)#ip route 0.0.0.0 0.0.0.0 30.0.0.1

Now,Ho and BO router forward all packets to ISP its ISP responsible to route the packets to destination.



Step 5:Enable debug for ipsec and isakmp on both routers, this will show you VPN proces in Routers

In priveleged mode on HO and BO Routers


HO#debug crypto ipsec
Crypto IPSEC debugging is on

HO#debug crypto isakmp
Crypto ISAKMP debugging is on


BO#debug crypto ipsec
Crypto IPSEC debugging is on

BO#debug crypto isakmp
Crypto ISAKMP debugging is on



Step 6:Ping host 192.168.2.10 from 192.168.1.10


Ping 192.168.2.10


I got reply form 192.168.2.10

Trouble Shooting Commands:



HO#show crypto isakmp ?
  key      Show ISAKMP preshared keys
  policy   Show ISAKMP protection suite policy
  profile  Show ISAKMP profiles
  sa       Show ISAKMP Security Associations

HO#show crypto isakmp key
HO#show crypto isakmp policy
HO#show crypto isakmp profile
HO#show crypto isakmp sa

HO#show crypto ipsec ?
  profile               Show ipsec profile information
  sa                    IPSEC SA table
  security-association  Show parameters for IPSec security associations
  transform-set         Crypto transform sets

HO#show crypto ?
  ca           Show certification authority policy
  dynamic-map  Crypto map templates
  engine       Show crypto engine info
  identity     Show crypto identity list
  ipsec        Show IPSEC policy
  isakmp       Show ISAKMP Security Associations
  key          Show long term public keys
  map          Crypto maps
  mib          Show Crypto-related MIB Parameters
  optional     Optional Encryption Status
  sockets      Secure Socket Information


HO#debug crypto ?
  ber      decode ASN.1 BER data
  engine   Crypto Engine Debug
  ipsec    IPSEC processing
  isakmp   ISAKMP Key Management
  mib      IPSEC Management Transactions
  pki      PKI Client
  socket   Crypto Secure Socket Debug
  verbose  verbose decode

Configure VPN between branch routers,Branch to Branch Site-to-Site VPN