How to configure a IPSEC Site to Site VPN (Virtual Private Network) in Cisco routers using GNS3 with simple seven steps
Step 1:Create topology like this
Step 2:Configure routers and host with ip address like i have given in topology
In Router HO global config mode,
HO(config)#interface fastethernet 2/0
HO(config-if)#ip address 192.168.1.1 255.255.255.0
HO(config-if)#no shutdown
HO(config-if)#exit
HO(config)#interface serial 1/0
HO(config-if)#ip address 20.0.0.1 255.0.0.0
HO(config-if)#clock rate 64000
HO(config-if)#encapsulation ppp
HO(config-if)#no shutdown
HO(config-if)#exit
In Router ISP1 global config mode,
ISP1(config)#interface serial1/0
ISP1(config-if)#ip address 20.0.0.2 255.0.0.0
ISP1(config-if)#encapsulation ppp
ISP1(config-if)#clock rate 64000
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
ISP1(config)#interface serial1/1
ISP1(config-if)#ip address 30.0.0.1 255.0.0.0
ISP1(config-if)#encapsulation ppp
ISP1(config-if)#clock rate 64000
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
In Router ISP2 global config mode,
ISP2(config)#interface serial 1/0
ISP2(config-if)#ip address 30.0.0.2 255.0.0.0
ISP2(config-if)#encapsulation ppp
ISP2(config-if)#clock rate 64000
ISP2(config-if)#no shutdown
ISP2(config-if)#exit
ISP2(config)#interface serial 1/1
ISP2(config-if)#ip address 40.0.0.1 255.0.0.0
ISP2(config-if)#encapsulation ppp
ISP2(config-if)#clock rate 64000
ISP2(config-if)#no shutdown
ISP2(config-if)#exit
In Router BO global config mode,
BO(config)#interface fastethernet2/0
BO(config-if)#ip address 192.168.2.1 255.255.255.0
BO(config-if)#no shutdown
BO(config-if)#exit
BO(config)#interface serial1/0
BO(config-if)#ip address 40.0.0.2 255.0.0.0
BO(config-if)#clock rate 64000
BO(config-if)#encapsulation ppp
BO(config-if)#no shutdown
BO(config-if)#exit
Qemu1
tc@box:~$
tc@box:~$ sudo su
root@box:~#ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up
root@box:~#route add ip default gw 192.168.1.1
root@box:~#route add default gw 192.168.1.1
Qemu2
tc@box:~$
tc@box:~$ sudo su
root@box:~#ifconfig eth0 192.168.2.10 netmask 255.255.255 up
root@box:~#route add ip default gw 192.168.2.1
root@box:~#route add default gw 192.168.2.1
Step 3:Configure ISP1 and ISP2 routers with any routing protocols.I am going to use RIP.
ISP1(config)#router rip
ISP1(config-router)#network 20.0.0.0
ISP1(config-router)#network 30.0.0.0
ISP1(config-router)#exit
ISP2(config)#router rip
ISP2(config-router)#network 30.0.0.0
ISP2(config-router)#network 40.0.0.0
ISP2(config-router)#exit
This will isolate the ISP1 and ISP2 from HO and BO Routers, So it will work like a real time Site to site network topology.In real time ISP can use any routing protocol.
Step 4:Configure the HO and BO routers with VPN Configurations
In Router HO global config mode,
HO(config)#crypto isakmp enable
HO(config)#crypto isakmp policy 10
HO(config-isakmp)#authentication pre-share
HO(config-isakmp)#hash md5
HO(config-isakmp)#encryption des
HO(config-isakmp)#group 2
HO(config-isakmp)#lifetime 3600
HO(config-isakmp)#exit
HO(config)#crypto isakmp key security address 40.0.0.2 255.0.0.0
HO(config)#crypto ipsec transform-set hoset esp-des esp-md5-hmac
HO(cfg-crypto-trans)#exit
HO(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
HO(config)#crypto map homap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
HO(config-crypto-map)#set peer 40.0.0.2
HO(config-crypto-map)#set transform-set hoset
HO(config-crypto-map)#match address 101
HO(config-crypto-map)#exit
HO(config)#interface serial 1/0
HO(config-if)#crypto map homap
HO(config-if)#exit
In Router BO global config mode,
BO(config)#crypto isakmp enable
BO(config)#crypto isakmp policy 10
BO(config-isakmp)#authentication pre-share
BO(config-isakmp)#hash md5
BO(config-isakmp)#encryption des
BO(config-isakmp)#group 2
BO(config-isakmp)#lifetime 3600
BO(config-isakmp)#exit
BO(config)#crypto isakmp key security address 20.0.0.1 255.0.0.0
BO(config)#crypto ipsec transform-set boset esp-des esp-md5-hmac
BO(cfg-crypto-trans)#exit
BO(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
BO(config)#crypto map bomap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
BO(config-crypto-map)#set peer 20.0.0.1
BO(config-crypto-map)#set transform-set boset
BO(config-crypto-map)#match address 101
BO(config-crypto-map)#exit
BO(config)#interface serial 1/0
BO(config-if)#crypto map bomap
BO(config-if)#exit
BO(config)#
Step 5:Configure the default static route in HO and BO to forward all packets to the Internet Service Provider Router.Peer address for HO router is 40.0.0.2 it is a public ip address when packet forwarded to 20.0.0.2 from HO router it is ISP responsible to take packet to 40.0.0.2 same for the BO router.
HO(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2
BO(config)#ip route 0.0.0.0 0.0.0.0 40.0.0.1
Step 6:Now give debug command to HO and BO router in privileged mode to see VPN process.
In priveleged mode on HO and BO Routers
HO#debug crypto ipsec
Crypto IPSEC debugging is on
HO#debug crypto isakmp
Crypto ISAKMP debugging is on
BO#debug crypto ipsec
Crypto IPSEC debugging is on
BO#debug crypto isakmp
Crypto ISAKMP debugging is on
Step 7:Now go to host in 192.168.1.0/24 network and ping ip address 192.168.2.10 in 192.168.2.0/24 Network, then go to router HO and BO to see what is happening while you ping.
Ping 192.168.2.10
Trouble Shooting Commands:
HO#show crypto isakmp ?
key Show ISAKMP preshared keys
policy Show ISAKMP protection suite policy
profile Show ISAKMP profiles
sa Show ISAKMP Security Associations
HO#show crypto isakmp key
HO#show crypto isakmp policy
HO#show crypto isakmp profile
HO#show crypto isakmp sa
HO#show crypto ipsec ?
profile Show ipsec profile information
sa IPSEC SA table
security-association Show parameters for IPSec security associations
transform-set Crypto transform sets
HO#show crypto ?
ca Show certification authority policy
dynamic-map Crypto map templates
engine Show crypto engine info
identity Show crypto identity list
ipsec Show IPSEC policy
isakmp Show ISAKMP Security Associations
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
sockets Secure Socket Information
HO#debug crypto ?
ber decode ASN.1 BER data
engine Crypto Engine Debug
ipsec IPSEC processing
isakmp ISAKMP Key Management
mib IPSEC Management Transactions
pki PKI Client
socket Crypto Secure Socket Debug
verbose verbose decode
Step 1:Create topology like this
Step 2:Configure routers and host with ip address like i have given in topology
In Router HO global config mode,
HO(config)#interface fastethernet 2/0
HO(config-if)#ip address 192.168.1.1 255.255.255.0
HO(config-if)#no shutdown
HO(config-if)#exit
HO(config)#interface serial 1/0
HO(config-if)#ip address 20.0.0.1 255.0.0.0
HO(config-if)#clock rate 64000
HO(config-if)#encapsulation ppp
HO(config-if)#no shutdown
HO(config-if)#exit
In Router ISP1 global config mode,
ISP1(config)#interface serial1/0
ISP1(config-if)#ip address 20.0.0.2 255.0.0.0
ISP1(config-if)#encapsulation ppp
ISP1(config-if)#clock rate 64000
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
ISP1(config)#interface serial1/1
ISP1(config-if)#ip address 30.0.0.1 255.0.0.0
ISP1(config-if)#encapsulation ppp
ISP1(config-if)#clock rate 64000
ISP1(config-if)#no shutdown
ISP1(config-if)#exit
In Router ISP2 global config mode,
ISP2(config)#interface serial 1/0
ISP2(config-if)#ip address 30.0.0.2 255.0.0.0
ISP2(config-if)#encapsulation ppp
ISP2(config-if)#clock rate 64000
ISP2(config-if)#no shutdown
ISP2(config-if)#exit
ISP2(config)#interface serial 1/1
ISP2(config-if)#ip address 40.0.0.1 255.0.0.0
ISP2(config-if)#encapsulation ppp
ISP2(config-if)#clock rate 64000
ISP2(config-if)#no shutdown
ISP2(config-if)#exit
In Router BO global config mode,
BO(config)#interface fastethernet2/0
BO(config-if)#ip address 192.168.2.1 255.255.255.0
BO(config-if)#no shutdown
BO(config-if)#exit
BO(config)#interface serial1/0
BO(config-if)#ip address 40.0.0.2 255.0.0.0
BO(config-if)#clock rate 64000
BO(config-if)#encapsulation ppp
BO(config-if)#no shutdown
BO(config-if)#exit
Qemu1
tc@box:~$
tc@box:~$ sudo su
root@box:~#ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up
root@box:~#route add ip default gw 192.168.1.1
root@box:~#route add default gw 192.168.1.1
Qemu2
tc@box:~$
tc@box:~$ sudo su
root@box:~#ifconfig eth0 192.168.2.10 netmask 255.255.255 up
root@box:~#route add ip default gw 192.168.2.1
root@box:~#route add default gw 192.168.2.1
Step 3:Configure ISP1 and ISP2 routers with any routing protocols.I am going to use RIP.
ISP1(config)#router rip
ISP1(config-router)#network 20.0.0.0
ISP1(config-router)#network 30.0.0.0
ISP1(config-router)#exit
ISP2(config)#router rip
ISP2(config-router)#network 30.0.0.0
ISP2(config-router)#network 40.0.0.0
ISP2(config-router)#exit
This will isolate the ISP1 and ISP2 from HO and BO Routers, So it will work like a real time Site to site network topology.In real time ISP can use any routing protocol.
Step 4:Configure the HO and BO routers with VPN Configurations
In Router HO global config mode,
HO(config)#crypto isakmp enable
HO(config)#crypto isakmp policy 10
HO(config-isakmp)#authentication pre-share
HO(config-isakmp)#hash md5
HO(config-isakmp)#encryption des
HO(config-isakmp)#group 2
HO(config-isakmp)#lifetime 3600
HO(config-isakmp)#exit
HO(config)#crypto isakmp key security address 40.0.0.2 255.0.0.0
HO(config)#crypto ipsec transform-set hoset esp-des esp-md5-hmac
HO(cfg-crypto-trans)#exit
HO(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
HO(config)#crypto map homap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
HO(config-crypto-map)#set peer 40.0.0.2
HO(config-crypto-map)#set transform-set hoset
HO(config-crypto-map)#match address 101
HO(config-crypto-map)#exit
HO(config)#interface serial 1/0
HO(config-if)#crypto map homap
HO(config-if)#exit
In Router BO global config mode,
BO(config)#crypto isakmp enable
BO(config)#crypto isakmp policy 10
BO(config-isakmp)#authentication pre-share
BO(config-isakmp)#hash md5
BO(config-isakmp)#encryption des
BO(config-isakmp)#group 2
BO(config-isakmp)#lifetime 3600
BO(config-isakmp)#exit
BO(config)#crypto isakmp key security address 20.0.0.1 255.0.0.0
BO(config)#crypto ipsec transform-set boset esp-des esp-md5-hmac
BO(cfg-crypto-trans)#exit
BO(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
BO(config)#crypto map bomap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
BO(config-crypto-map)#set peer 20.0.0.1
BO(config-crypto-map)#set transform-set boset
BO(config-crypto-map)#match address 101
BO(config-crypto-map)#exit
BO(config)#interface serial 1/0
BO(config-if)#crypto map bomap
BO(config-if)#exit
BO(config)#
Step 5:Configure the default static route in HO and BO to forward all packets to the Internet Service Provider Router.Peer address for HO router is 40.0.0.2 it is a public ip address when packet forwarded to 20.0.0.2 from HO router it is ISP responsible to take packet to 40.0.0.2 same for the BO router.
HO(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2
BO(config)#ip route 0.0.0.0 0.0.0.0 40.0.0.1
Step 6:Now give debug command to HO and BO router in privileged mode to see VPN process.
In priveleged mode on HO and BO Routers
HO#debug crypto ipsec
Crypto IPSEC debugging is on
HO#debug crypto isakmp
Crypto ISAKMP debugging is on
BO#debug crypto ipsec
Crypto IPSEC debugging is on
BO#debug crypto isakmp
Crypto ISAKMP debugging is on
Step 7:Now go to host in 192.168.1.0/24 network and ping ip address 192.168.2.10 in 192.168.2.0/24 Network, then go to router HO and BO to see what is happening while you ping.
Ping 192.168.2.10
Trouble Shooting Commands:
HO#show crypto isakmp ?
key Show ISAKMP preshared keys
policy Show ISAKMP protection suite policy
profile Show ISAKMP profiles
sa Show ISAKMP Security Associations
HO#show crypto isakmp key
HO#show crypto isakmp policy
HO#show crypto isakmp profile
HO#show crypto isakmp sa
HO#show crypto ipsec ?
profile Show ipsec profile information
sa IPSEC SA table
security-association Show parameters for IPSec security associations
transform-set Crypto transform sets
HO#show crypto ?
ca Show certification authority policy
dynamic-map Crypto map templates
engine Show crypto engine info
identity Show crypto identity list
ipsec Show IPSEC policy
isakmp Show ISAKMP Security Associations
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
sockets Secure Socket Information
HO#debug crypto ?
ber decode ASN.1 BER data
engine Crypto Engine Debug
ipsec IPSEC processing
isakmp ISAKMP Key Management
mib IPSEC Management Transactions
pki PKI Client
socket Crypto Secure Socket Debug
verbose verbose decode
thanks brother,nice work
ReplyDeleteI have to search sites with relevant information on given topic and provide them to teacher our opinion and the article. long range wireless router
ReplyDelete