4 Steps to setup CISCO IPSEC VPN

After completing these 4 easy to follow steps, you will have your Secure VPN tunnel up and running.

---

---

Yes… It’s possible to configure an IPSec (IP Security) Site-to-Site VPN using only 4 key steps. It may sound a little far-fetched, but in the next few minutes, I will walk you through the process of configuring a fully functional IPSec VPN from scratch. At every step I will show you the commands needed to make it happen. I will also give a brief explanation of what each command does to ensure you understand what is going on at each stage. Let’s jump right in.

Before we get going, here is a little checklist of the things you need to know, and the things you need to decide to help you along the way.

What You Need To Know:

1. Public IP addresses for both ends
2. Private IP addresses and IP address Ranges for both ends
3. Interface on your router that connects you to the internet

What You Need to Provide:

1. Pre-Shared Key (shared Password-You can make this up)
2. Transform Set Name (you can make this up too)

Before I begin listing the steps, I must warn you that Initial VPN setup can sometimes be a pain. However once it successfully connects it really is a breeze. It also makes it a lot easier if you, the network engineer setting it up has access to both devices (if you are doing a VPN to remote sites which are both within your organization).

IPSec VPN configuration steps can be divided into two main parts, Phase 1 and Phase 2. Phase one consists of setting up ISAKMP and Phase 2 involves setting up IPSec, ACL’s and Crypto Maps. Let’s begin shall we.

For our example we shall use the details below on our router:

1. Private LAN IP – 192.168.1.0
2. Private LAN IP of remote site – 192.168.2.0
3. Public IP of Remote side – 41.77.7.42
4. Pre-Shared Key – OPTIMUS
5. Crypto Map – CMAP
6. Transform Set – BUMBLE–BEE

PHASE-1 STEPS

STEP -1: ISAKMP PHASE-1

IKE (Internet Key Exchange) allows us to establish SA’s (Security Associations) between the 2 routers on either side of our IPSec VPN. To Set this up we use the following commands.

R1(config)#  crypto isakmp policy 1
~Policy number can be any number of your choice

R1(config-isakmp)# encr 3des
~The encryption method selected here is 3des. (we can use des, 3des or )

R1(config-isakmp)# hash md5
~Hashing algorithm chosen is md5

R1(config-isakmp)# authentication pre-share
~Here we are defining that we will use a pre-shared key for this VPN

R1(config-isakmp)# group 2
~We are selecting Diffie-Hellman group 2

R1(config-isakmp)# lifetime 86400
~This is the duration of the session key in seconds

Next we are defining the pre-shared key that our 2 sites (routers) will use to authenticate each other.

R1(config)# crypto isakmp key OPTIMUS address 41.77.7.42
~our pre-shared key here is ‘OPTIMUS’ and the public IP of the other router is 41.77.7.42

PHASE-2 STEPS

STEP-2:ACL’s

We now create the access lists that will tell the router which traffic is meant to flow through the IPSec VPN

R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
~Allows only traffic that is flowing from our local network to our remote local network

STEP-3: IPSEC

The next thing we need to do is define the transform set which will be used to protect our data as it is sent across the tunnel. Use the following command for this.

R1(config)# crypto ipsec transform-set BUMBLE-BEE esp-3des esp-md5-hmac
~The Transform Set name is ‘BUMBLE-BEE’. Encryption method is ‘ESP-3DES’ & Hashing Algorithm is ‘MD5’

Up next we create our Crypto map and tie it to our ISAKMP and IPSec configurations

R1(config)# crypto map CMAP 10 ipsec-isakmp
~Our crypto map name is ‘CMAP’

R1(config-crypto-map)# setpeer 41.77.7.42
~We set our peer IP to be the PublicIP address of the other router

R1(config-crypto-map)# set transform-set BUMBLE-BEE’
~We specify the Transform Set name to match the one created above

R1(config-crypto-map)# match address VPN-TRAFFIC
~We specify which Access List theIPSec VPN will use to match traffic meant for our other router

Here we apply the crypto Map to the outgoing interface of the router (Interface facing the direction of our remote site)

R1(config)# interface FastEthernet0/1
~Outgoing Interface
R1(config- if)# crypto map CMAP
~CryptoMap previously created.

STEP-4: NAT & VPN TUNNELS

This last set of commands is only carried out if you have users on your LAN who need internet access. We must explicitly tell the router that all traffic destined for the internet must not be pushed through the VPN, only traffic destined for our remote site must go through the VPN.

R1(config)# ip nat inside source list 100 interface fast ethernet0/1 overload
~ourNAT statement telling us to translate traffic destined for the internet on to our public IP address

R1(config)# access-list 100 remark [DefineNAT Service]
~a description of what this access list is meant to do

R1(config)# access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.00.0.0.255
~First we block all traffic destined to our remote site. This is for all other traffic on our LAN

R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any
~Next we allow any traffic from our LAN

R1(config)# access-list 100 remark    

The above ACL will block all traffic towards our remote site then allow all other traffic to be routed to the internet. We must keep in mind that Access Lists are processed from top to bottom. We must also remember that we have a separate access list that is meant specifically for our traffic which is heading to our remote site. This means that our VPN traffic is safe.

TEST YOUR VPN

The last thing we do is test our VPN by running a ping across to the remote site.

R1# ping 192.168.2.1 source fast ethernet0/0
~Source part of the command ensures that we are pinging from our interface designated for the LAN

R1# show crypto session
~Will show you the current status of the Crypto session

To Conclude

Now we repeat the steps on the other end of the VPN, however this time we interchange the IP addresses used to point at the Public IP address and the LAN address range of our initial router. For a more detailed example click here to view how I learned to configure my first ever VPN. With a little practice and a few tries at it, you will become a pro when it comes to creating Secure Tunnel Connections over the internet.