What is a VPN?
A Virtual Private
Network is a type of a connection that connects remote user s to their central
office using internet. An IPSEC VPN is virtual tunnel through your public ISP
network. VPN are highly encrypted and secure connections.
how to setup a vpn on
Cisco:
Here we shall see VPN
site to site CLI configuration on GNS3, It’s not so much the commands.
I shall divide
these configurations into few parts to make it easy to understand i.e.
1. Define isakmp policy and transform set:
Isakam is the protocol
that allow all of keys exchange to happen automatically no need to manually
configure the VPN. In this step we shall define authentication type, encryption
type, hash. Lifetime and define what session keys are used.
2. Create an ACl
Define interesting
traffic using an access control list, this ACL is not for deny or permitting
some IP addresses but it just says which addresses are encrypted
3. Set up cryto Map and assign this to interface:
In this step we shall tie up all piece so that we can apply to an interface
For site to site VPN
configuration I have created the following lab in gns3, in this US and Pakistan
are our end site routers and IPS cloud is representing the internet cloud but
don’t confuse with this cloud this is a simple router with 7200 series IOS, I
have changed the router symbol from gns3/edit/symbol manager to give real
environment look to my topology. Complete configurations are given below.
Us site config:
US(config)#int s1/0
US(config-if)#ip address
50.0.0.1 255.255.255.0
US(config-if)#no shut
US(config)#int loop 1
US (config-if)#ip
address 10.1.1.1 255.255.255.0
US(config)#router rip
US(config-router)#version
2
US(config-router)#network
10.1.1.0
US(config-router)#network
50.0.0.0
US(config-router)#no
auto-summary
Step-1 :
US(config)#crypto isakmp
policy 7
US(config-isakmp)#authentication
pre-share
US(config-isakmp)#encryption
aes 128
US(config-isakmp)#group
2
US(config-isakmp)#hash
sha
US(config-isakmp)#lifetime
100
US(config-isakmp)#ex
US(config)#crypto isakmp
key 0 vpnkey address 192.168.1.1 no-xauth
US(config)#crypto ipsec
transform-set vpntrans esp-aes 128 esp-sha-hmac
Step-2
US(config)#ip
access-list extended vpn-acl
US(config-ext-nacl)#
permit ip 50.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
Step-3
US(config)#crypto map
vpn-map 10 ipsec-isakmp
US(config-crypto-map)#set
peer 192.168.1.1
US(config-crypto-map)#match
address vpn-acl
US(config-crypto-map)#set
transform-set vpntrans
US(config)#int s1/0
US(config-if)#cry
US(config-if)#crypto map
vpn-map
ISP configuration:
ISP#conf t
ISP(config)#int s1/0
ISP(config-if)#ip add 50.0.0.2
255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#ex
ISP(config)#int s1/1
ISP(config-if)#ip add
192.168.1.2 255.255.255.0
ISP(config-if)#no shut
ISP(config)#router ri
ISP(config-router)#version
2
ISP(config-router)#network
50.0.0.0
ISP(config-router)#network
192.168.1.0
ISP(config-router)#no auto-summary
Pakistan site config:
Step-1 :
Pakistan#conf t
Pakistan(config)#crypto
isakmp policy 7
Pakistan(config-isakmp)#
authentication pre-share
Pakistan(config-isakmp)#encryption aes 128
Pakistan(config-isakmp)#encryption aes 128
Pakistan(config-isakmp)#
group 2
Pakistan(config-isakmp)#
lifetime 100
Pakistan(config-isakmp)#crypto
isakmp key 0 vpnkey address 50.0.0.1 no-xauth
Pakistan(cfg-crypto-trans)#ex
Pakistan(config)#crypto
ipsec transform-set vpntrans esp-aes esp-sha-hmac
Step-2
Pakistan(config)#ip
access-list extended vpn-acl
Pakistan(config-ext-nacl)#
permit ip 172.16.0.0 0.0.255.255 50.0.0.0 0.0.0.255
Pakistan(config-ext-nacl)#ex
Step-3
Pakistan(cfg-crypto-trans)#crypto
map vpn-map 10 ipsec-isakmp
Pakistan(config-crypto-map)#
set peer 50.0.0.1
Pakistan(config-crypto-map)#
set transform-set vpntrans
Pakistan(config-crypto-map)#
match address vpn-acl
Pakistan(config)#interface
Serial1/0
Pakistan(config-if)#crypto
map vpn-map
Site to site VPN
verfication Commands:
Show crypto isakam sa
Show crypto ipsec sa
No comments:
Post a Comment