2/27/2019 Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers

(http://www.firewall.cx)

FIREWALL.CX TEAM NEWS ALTERNATIVE MENU RECOMMENDED SITES FORUM CONTACT US - FEEDBACK
(/MEET-THE-TEAM.HTML) (/NEWS.HTML) (/SITE-MAP.HTML) (/RECOMMENDED-SITES.HTML) (/FORUMS.HTML) (/CONTACT-US.HTML)

(/) (/networking-topics.html) (/cisco-technical-knowledgebase.html)

HOME NETWORKING CISCO

(/microsoft-knowledgebase.html) (/linux-knowledgebase-tutorials.html) (/general-topics-reviews.html)

MICROSOFT LINUX MORE CONTENT

(/vpn.html) (/downloads.html)
VPN DOWNLOADS

THURSDAY, 28 FEBRUARY 2019

search...

HOT DOWNLOADS
(https://clixtrac.com/goto/?265874) (http://www.acunetix.com/web-vul
DEAL WITH scanner/?
BANDWIDTH SPIKES utm_source=firewall.cx&utm_camp

FREE NETWORK
SECURITY SCANNER

(/component/banners/click/1.html)

(http://www.acunetix.com/web-
CONFIGURING SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO vulnerability-scanner/?

ROUTERS utm_source=firewall.cx&utm_campaign=sec
WRITTEN BY ADMINISTRATOR. POSTED IN CISCO ROUTERS - CONFIGURING CISCO ROUTERS (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCO-
ROUTERS.HTML)
FREE HYPER-V &
Rating 4.46 (140 Votes)
VMWARE BACKUP
Like 484 f Share Tweet Share Save

Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video between two sites (e.g offices or
branches). The VPN tunnel is created over the Internet public network and encrypted using a number of advanced encryption algorithms to
provide confidentiality of the data transmitted between the two sites.

This article will show how to setup and configure two Cisco routers to create a permanent secure site-to-site VPN tunnel over the Internet,
using the IP Security (IPSec) protocol (/networking-topics/protocols/127-ip-security-protocol.html). In this article we assume both Cisco
routers have a static public IP address. Readers interested in configuring support for dynamic public IP address endpoint routers can (https://clixtrac.com/goto/?
refer to our Configuring Site to Site IPSec VPN with Dynamic IP Endpoint Cisco Routers (/cisco-technical-knowledgebase/cisco- 210273)
routers/936-cisco-router-ipsec-vpn-dynamic-endpoint.html) article.

IPSec VPN tunnels can also be configured using GRE (Generic Routing Encapsulation) Tunnels with IPsec. GRE tunnels greatly simply the RECOMMENDED
configuration and administration of VPN tunnels and are covered in our Configuring Point-to-Point GRE VPN Tunnels (/cisco-technical- DOWNLOADS
knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html) article. Lastly, DMVPNs – a new VPN trend that provide major flexibility and
almost no administration overhead can also be examined by reading our Understanding Cisco Dynamic Multipoint VPN (DMVPN) (/cisco- Web Vulnerability Scanner
technical-knowledgebase/cisco-services-tech/896-cisco-dmvpn-intro.html), Dynamic Multipoint VPN (DMVPN) Deployment Models & (http://www.acunetix.com/web-
Architectures (/cisco-technical-knowledgebase/cisco-services-tech/908-cisco-dmvpn-models.html) and Configuring Cisco Dynamic vulnerability-scanner/?
Multipoint VPN (DMVPN) - Hub, Spokes , mGRE Protection and Routing - DMVPN Configuration (/cisco-technical-knowledgebase/cisco- utm_source=firewall.cx&utm_campaign=s
routers/901-cisco-router-dmvpn-configuration.html)articles. Network Management -
Monitor & Alert
ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the VPN tunnel. (http://clixtrac.com/goto/?
ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to build an IPsec 225994)
security association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2. Free Hyper-V & VMware
Backup
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html 1/5
 Phase 1 creates the first tunnel, which protects later ISAKMP
2/27/2019 negotiation Site
Configuring messages.
to SitePhase 2 creates
IPSec the tunnel
VPN Tunnel that protects
Between data.Routers
Cisco IPSec (http://clixtrac.com/goto/?
then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay services. 210270)
Free Network Security Scan
IPSEC VPN REQUIREMENTS (http://www.acunetix.com/web-
vulnerability-scanner/?
To help make this an easy-to-follow exercise, we have split it into two steps that are required to get the Site-to-Site IPSec VPN Tunnel to utm_source=firewall.cx&utm_campaign=s
work. SD-WAN Networks &
Security
These steps are:
(https://www.catonetworks.com/solutions/s
(1) Configure ISAKMP (ISAKMP Phase 1) global-sd-wan-as-a-
service/?
(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP) utm_source=firewallcx)
Bandwidth Monitor
Our example setup is between two branches of a small company, these are Site 1 and Site 2. Both the branch routers connect to the
(http://clixtrac.com/goto/?
Internet and have a static IP Address assigned by their ISP as shown on the diagram:
235210)

BANDWIDTH MONITOR

(http://clixtrac.com/goto/?
235160)

Site 1 is configured with an internal network of 10.10.10.0/24, while Site 2 is configured with network 20.20.20.0/24. The goal is to securely
connect both LAN networks and allow full communication between them, without any restrictions. NETWORK AND
SERVER MONITORING
CONFIGURE ISAKMP (IKE) - (ISAKMP PHASE 1)
IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA)
relationship with the peer.

To begin, we’ll start working on the Site 1 router (R1).

First step is to configure an ISAKMP Phase 1 policy:

(https://clixtrac.com/goto/?
R1(config)# crypto isakmp policy 1 265873)
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share JOIN US: (http://www.linkedin.com/groups?
(https://www.facebook.com/fi
(http://twitter.com/firewa
(http://feeds.feedb
R1(config-isakmp)# group 2 home=&gid=1037867)
R1(config-isakmp)# lifetime 86400
SECURE SD-WAN

The above commands define the following (in listed order):

3DES - The encryption method to be used for Phase 1.

MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default (http://www.catonetworks.com/solutions/secu
value. global-sd-wan-as-a-service/?
utm_source=firewallcx)
We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have five different remote sites and configured five
different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send
all five policies and use the first match that is accepted by both ends. FACEBOOK - LIKE US!
Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the following command:
Firewal…
R1(config)# crypto isakmp key firewallcx address 1.1.1.2 Like Page

The peer’s pre shared key is set to firewallcx and its public IP Address is 1.1.1.2. Every time R1 tries to establish a VPN tunnel with R2
(1.1.1.2), this pre shared key will be used. CISCO PRESS REVIEW
PARTNER
CONFIGURE IPSEC - 4 SIMPLE STEPS
To configure IPSec we need to setup the following in order:

Create extended ACL (/site-news/316-firewall-

ciscopress.html)
Create IPSec Transform
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html 2/5
2/27/2019 Create Crypto Map Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers Notify me of new articles

Apply crypto map to the public interface Name

Let us examine each of the above steps. E-mail

STEP 1: CREATING EXTENDED ACL Subscribe

Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel. In this example, it would
be traffic from one network to the other, 10.10.10.0/24 to 20.20.20.0/24. Access-lists that define VPN traffic are sometimes called crypto
access-list or interesting traffic access-list. CISCO MENU

CISCO ROUTERS
R1(config)# ip access-list extended VPN-TRAFFIC
(/cisco-technical-
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
knowledgebase/cisco-
routers.html)
STEP 2: CREATE IPSEC TRANSFORM (ISAKMP PHASE 2 POLICY) CISCO SWITCHES

Next step is to create the transform set used to protect our data. We’ve named this TS: (/cisco-technical-
knowledgebase/cisco-
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac switches.html)

CISCO DATA CENTER

The above command defines the following: (/cisco-technical-
knowledgebase/cisco-data-
- ESP-3DES - Encryption method
center.html)
- MD5 - Hashing algorithm
CISCO VOIP/CCME -
CALLMANAGER
STEP 3: CREATE CRYPTO MAP (/cisco-technical-
The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together: knowledgebase/cisco-
voice.html)
R1(config)# crypto map CMAP 10 ipsec-isakmp CISCO FIREWALLS
R1(config-crypto-map)# set peer 1.1.1.2
(/cisco-technical-
R1(config-crypto-map)# set transform-set TS
knowledgebase/cisco-
R1(config-crypto-map)# match address VPN-TRAFFIC
firewalls.html)
CISCO WIRELESS
We’ve named our crypto map CMAP. The ipsec-isakmp tag tells the router that this crypto map is an IPsec crypto map. Although there is
only one peer declared in this crypto map (1.1.1.2), it is possible to have multiple peers within a given crypto map. (/cisco-technical-
knowledgebase/cisco-
wireless.html)
STEP 4: APPLY CRYPTO MAP TO THE PUBLIC INTERFACE
CISCO SERVICES &
The final step is to apply the crypto map to the outgoing interface of the router. Here, the outgoing interface is FastEthernet 0/1. TECHNOLOGIES
(/cisco-technical-
R1(config)# interface FastEthernet0/1 knowledgebase/cisco-
R1(config- if)# crypto map CMAP services-tech.html)
CISCO AUTHORS & CCIE
Note that you can assign only one crypto map to an interface.
INTERVIEWS

As soon as we apply crypto map on the interface, we receive a message from the router that confirms isakmp is on: “ISAKMP is ON”. (/cisco-technical-
knowledgebase/ccie-
At this point, we have completed the IPSec VPN configuration on the Site 1 router. experts.html)
CISCO DATA CENTER USER
We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being
GROUP
the peer IP Addresses and access lists:
(/cisco-technical-
R2(config)# crypto isakmp policy 1 knowledgebase/cisco-
R2(config-isakmp)# encr 3des datacenter-user-group.html)
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
POPULAR CISCO
ARTICLES
R2(config-isakmp)# lifetime 86400
DMVPN Configuration (/cisco-
R2(config)# crypto isakmp key firewallcx address 1.1.1.1 technical-
R2(config)# ip access-list extended VPN-TRAFFIC knowledgebase/cisco-
R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 routers/901-cisco-router-
dmvpn-configuration.html)
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac Cisco IP SLA (/cisco-technical-
R2(config)# crypto map CMAP 10 ipsec-isakmp knowledgebase/cisco-
R2(config-crypto-map)# set peer 1.1.1.1 routers/813-cisco-router-ipsla-
R2(config-crypto-map)# set transform-set TS basic.html)
R2(config-crypto-map)# match address VPN-TRAFFIC VLAN Security (/cisco-
technical-
R2(config)# interface FastEthernet0/1 knowledgebase/cisco-
R2(config- if)# crypto map CMAP switches/818-cisco-switches-
vlan-security.html)
4507R-E Installation (/cisco-
NETWORK ADDRESS TRANSLATION (NAT) AND IPSEC VPN TUNNELS technical-
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html 3/5
 Network Address Translation (/networking-topics/network-address-translation-nat.html)
2/27/2019 Configuring Site to Site IPSec(NAT) is mostTunnel
VPN likely toBetween
be configured
Ciscoto Routers
provide knowledgebase/cisco-
Internet access to internal hosts. When configuring a Site-to-Site VPN tunnel, it is imperative to instruct the router not to perform NAT switches/948-cisco-switches-
(deny NAT) on packets destined to the remote VPN network(s). 4507re-ws-x45-sup7l-e-
installation.html)
This is easily done by inserting a deny statement at the beginning of the NAT access lists as shown below: CallManager Express Intro
(/cisco-technical-
For Site 1’s router:
knowledgebase/cisco-
voice/371-cisco-ccme-part-
R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload
1.html)
R1(config)# access-list 100 remark -=[Define NAT Service]=-
Secure CME - SRTP & TLS
R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
(/cisco-technical-
R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
knowledgebase/cisco-
R1(config)# access-list 100 remark
voice/956-cisco-voice-cme-
secure-voip.html)
And Site 2’s router: Cisco Password Crack (/cisco-
technical-
R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload knowledgebase/cisco-
R2(config)# access-list 100 remark -=[Define NAT Service]=- routers/358-cisco-type7-
R2(config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 password-crack.html)
R2(config)# access-list 100 permit ip 20.20.20.0 0.0.0.255 any Site-to-Site VPN (/cisco-
R2(config)# access-list 100 remark technical-
knowledgebase/cisco-
routers/867-cisco-router-site-
ESTABLISHING AND VERIFYING THE IPSEC VPN TUNNEL to-site-ipsec-vpn.html)
At this point, we’ve completed our configuration and the VPN Tunnel is ready to be brought up. To initiate the VPN Tunnel, we need to
force one packet to traverse the VPN and this can be achieved by pinging from one router to another:
POPULAR LINUX
ARTICLES
R1# ping 20.20.20.1 source fastethernet0/0
Type escape sequence to abort. Linux Init & RunLevels (/linux-
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds: knowledgebase-tutorials/linux-
Packet sent with a source address of 10.10.10.1 administration/845-linux-
.!!!! administration-runlevels.html)
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/47/48 ms Linux Groups & Users (/linux-
knowledgebase-tutorials/linux-
administration/842-linux-
The first icmp echo (/networking-topics/protocols/icmp-protocol/152-icmp-echo-ping.html) (ping) received a timeout, but the rest received a groups-user-accounts.html)
reply, as expected. The time required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first ping to Linux Performance Monitoring
timeout. (/linux-knowledgebase-
tutorials/linux-
To verify the VPN Tunnel, use the show crypto session command: administration/837-linux-
system-resource-
R1# show crypto session monitoring.html)
Crypto session current status Linux Vim Editor (/linux-
Interface: FastEthernet0/1 knowledgebase-tutorials/linux-
Session status: UP-ACTIVE administration/836-linux-
Peer: 1.1.1.2 port 500 vi.html)
IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active Linux Samba (/linux-
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0 knowledgebase-
Active SAs: 2, origin: crypto map tutorials/system-and-network-
services/848-linux-services-

Back to Cisco Routers Section (/cisco-technical-knowledgebase/cisco-routers.html) samba.html)

Linux DHCP Server (/linux-
Like 484 f Share Tweet Share Save knowledgebase-
tutorials/system-and-network-
services/849-linux-services-

ARTICLES TO READ NEXT: dhcp-server.html)

Linux Bind DNS (/general-
topics-reviews/linuxunix-
CISCO ROUTER BASICS (/CISCO- CISCO TYPE 7 PASSWORD DECRYPT / HOW TO FIX CISCO CONFIGURATION related/829-linux-bind-
TECHNICAL- DECODER / CRACKER TOOL PROFESSIONAL (CCP) 'JAVA... introduction.html)
KNOWLEDGEBASE/CISCO- (/GENERAL-TOPICS-REVIEWS/CISCO- (/CISCO-TECHNICAL- Linux File & Folder
ROUTERS/250-CISCO-ROUTER- CRACKER.HTML) KNOWLEDGEBASE/CISCO-
Permissions (/general-topics-
BASICS.HTML) ROUTERS/981-CISCO-
CONFIGURATION-PROFESSIONAL- reviews/linuxunix-
JAVA-ERRORS.HTML) related/introduction-to-
linux/299-linux-file-folder-
permissions.html)
Linux OpenMosix (/general-
topics-reviews/linuxunix-
related/openmosix-linux-
supercomputer.html)
Linux Network Config (/linux-
knowledgebase-tutorials/linux-
administration/851-linux-
services-tcpip.html)

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html 4/5
2/27/2019 Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers RSS SUBSCRIPTION
Subscribe to Firewall.cx RSS
Feed by Email
(http://feedburner.google.com/fb/a/mailverify?
uri=firewallcx&loc=en_US)

CCENT/CCNA CISCO ROUTERS VPN SECURITY CISCO HELP WINDOWS 2012 LINUX
ROUTER BASICS (/CISCO- SSL WEBVPN UNDERSTAND DMVPN VPN CLIENT WINDOWS 8 NEW FEATURES FILE PERMISSIONS
TECHNICAL- SECURING ROUTERS GRE/IPSEC VPN CLIENT WINDOWS 7 LICENSING WEBMIN
KNOWLEDGEBASE/CISCO- POLICY BASED ROUTING CONFIGURATION CCP DISPLAY PROBLEM HYPER-V / VDI GROUPS - USERS
ROUTERS/250-CISCO- ROUTER ON-A-STICK SITE-TO-SITE IPSEC VPN CISCO SUPPORT APP. INSTALL HYPER-V SAMBA SETUP
ROUTER-BASICS.HTML) IPSEC MODES
SUBNETTING
OSI MODEL
IP PROTOCOL

FIREWALL.CX TEAM NEWS ALTERNATIVE MENU RECOMMENDED SITES FORUM CONTACT US - FEEDBACK
(/MEET-THE-TEAM.HTML) (/NEWS.HTML) (/SITE-MAP.HTML) (/RECOMMENDED-SITES.HTML) (/FORUMS.HTML) (/CONTACT-US.HTML)
© Copyright 2000-2018 Firewall.cx - All Rights Reserved
Information and images contained on this site is copyrighted material.

Firewall.cx - Cisco Networking, VPN - IPSec, Security, Cisco Switching, Cisco Routers, Cisco VoIP - CallManager Express, Windows Server, Virtualization, Hyper-V, Web Security, Linux Administration

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html 5/5