Lan-to-Lan IPSEC VPN between two Cisco Routers
With IPSEC VPNs, businesses can connect together remote office LANs over the Internet with the strong encryption and security offered by the IPSEC protocol. IPSEC is an IETF security standard. It is basically a suit of several protocols that offer secure communication over insecure paths. It is therefore ideal for connecting securely distant LAN networks over the insecure Internet.
We have two types of IPSEC VPNs: Lan-to-Lan (or site-to-site) encrypted VPN and Remote Access VPN. The first one is extensively used to securely connect distant office networks and the second one for allowing remote users/teleworkers to access resources on a central site network. In this post we will describe briefly a Lan-to-Lan IPSEC VPN and provide a full configuration example with two Cisco IOS Routers using IPSEC.
We could use a private WAN network with Frame Relay or MPLS connections, which however would bring the cost very high. Instead, with IPSEC VPN we can use cheap Internet connectivity (which will be secured by IPSEC) for communication between our remote sites.
We will be using the example diagram above for the configuration scenario. Generally, there are two Phases for IPSEC VPN:
- Phase 1: In this Phase we configure an ISAKMP policy. This policy establishes an initial secure channel over which further communication will follow. It defines how the ipsec peers will authenticate each other and what security protocols will be used.
- Phase 2: In this Phase we configure a crypto map and crypto transform sets. In general, Phase 2 deals with traffic management of the actual data communication between sites. The transform sets configured here, define what authentication and encryption protocols will be used on the data traffic.
There is a software VPN Configuration Tool which generates a fully working Router configuration for site-to-site VPN between Cisco Routers which can be very handy in many situations requiring the configuration of different Cisco VPN scenarios.
Fig 1.1- IPSEC LAN to LAN Communication |
For manual site-to-site VPN config check out the following examples.
Let’s see the complete configurations for router1 and router2 below:
Configuration for Router1
router1#show run
Building configuration…
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-A
!
boot-start-marker
boot-end-marker
!
!
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key testkey1234 address 200.0.0.1
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
crypto map aesmap 10 ipsec-isakmp
set peer 200.0.0.1
set transform-set aes-sha-transform
match address acl_vpn
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
ip nat outside
crypto map aesmap
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 100.0.0.2
no ip http server
no ip http secure-server
!
ip access-list extended acl_nat
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end
Configuration for router2
router2#show run
Building configuration…
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-B
!
boot-start-marker
boot-end-marker
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key testkey1234 address 100.0.0.1
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
crypto map aesmap 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set aes-sha-transform
match address acl_vpn
!
interface FastEthernet0/0
ip address 200.0.0.1 255.255.255.0
ip nat outside
!— Apply crypto map to the outside interface.
crypto map aesmap
!
interface FastEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 200.0.0.2
no ip http server
no ip http secure-server
!
ip access-list extended acl_nat
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end