Setting Up an IPSEC VPN - VPN between a
remote site and a corporate office using Cisco
routers
The Main office has a 2620 router (called mainrtr) with 3 ethernet interfaces. One interface is
used for the internal network (IP address 172.23.10.1/16) and one is used to connect to the
Internet through a DSL service (IP address
207.194.10.198/24). The remote site has a 1751 router
(called remotertr) with 2 ethernet interfaces. One interface
connects to the internal network (IP address 172.25.10.1/16)
and the other connects to the Internet via DSL (IP address
207.194.10.199/24). Both routers are loaded with the latest
version of the IP plus IPSEC 56 IOS image.
The first step is to set up the IKE policies on the routers.
The IKE policy states the kind of encryption and hash to use
and the type of authentication that will be implemented.
The parameters need to be the same at either end of the VPN.
On the central office router:
mainrtr(config)# crypto isakmp policy 1
mainrtr(config-isakmp)# encryption des
mainrtr(config-isakmp)# hash sha
mainrtr(config-isakmp)# authentication pre-share
mainrtr(config-isakmp)# lifetime 86400
mainrtr(config-isakmp)# end
On the remote site router you would use the exact same
commands. Lines 2 and 3 are used to set the encryption and
hash types. DES encryption and SHA hash algorithm are the
defaults, so those lines could be omitted. Line 4 specifies
that the key used is pre-shared, that is, no certificate
authority (CA) is used. Line 5 states how long the SA is
valid for in seconds (in this case a SA is valid for 1 day).
The next step is to set up the keys that are being used.
Since the keys are pre-shared, you just configure them on the
router itself. Using a CA to issue keys is more complex, but
it is also more secure. To set the pre-shared keys, use the
following commands.
On the central office router:
mainrtr(config)# crypto isakmp identity address
mainrtr(config)# crypto isakmp key key123 address 207.194.10.199
On the remote site router:
remotertr (config)# crypto isakmp identity address
remotertr (config)# crypto isakmp key key123 address 207.194.10.198
The first line indicates the ISAKMP identity the router will
use. The address keyword specifies that the IP address will
be used as the name. The second line states that the key to
be used is 'key123', and the identity of the remote peer (in
the case of mainrtr the remote peer is 207.194.10.199, or
remotertr).
Now the actual IPSEC tunnel needs to be set up. This
involves setting up a crypto access list and defining the
transform sets. Once you have the access list and transforms
in place you can configure the IPSEC tunnel mode.
On the central office router:
mainrtr(config)# access-list 110 permit ip host 207.194.10.198
host 207.194.10.199
This configures access list 110 to encrypt all IP traffic
between the two routers. On the remote site router you
would configure the access list as a mirror image of the
one on the central office router.
On the remote site router:
remotertr (config)# access-list 110 permit ip host 207.194.10.199
host 207.194.10.198
To set up the transform set and configure tunnel mode,
use the following commands.
On the central office router:
mainrtr(config)# crypto ipsec transform-set ts1 ah-sha-hmac esp-des
mainrtr(cfg-ctypto-trans)# mode tunnel
mainrtr(cfg-ctypto-trans)# exit
Line 1 configures the AH transform, the ESP encryption
transform and names the transform set 'ts1'. The same
commands are entered on the remote site router to set up
its transform set. Now a crypto map needs to be created
to define the endpoints of the tunnel.
On the central office router:
mainrtr(config)# cypto map map1 10 ipsec-isakmp
mainrtr(cfg-ctypto-map)# match address 110
mainrtr(cfg-ctypto-map)# set peer 207.194.10.199
mainrtr(cfg-ctypto-map)# set transform-set ts1
mainrtr(cfg-ctypto-map)# exit
The first line defines an IPSEC crypto map called 'map1' and
sets a sequence number of 10. Line 2 applies the access
list we created above to the crypto map. Line 3 defines the
remote peer that can be forwarded IPSEC encrypted traffic,
and line 4 applies the transform set created above to the
crypto map. To set up the crypto map on the remote site
router, you want to set up compatible parameters.
On the remote site router:
remotertr(config)# cypto map map1 10 ipsec-isakmp
remotertr (cfg-ctypto-map)# match address 110
remotertr (cfg-ctypto-map)# set peer 207.194.10.198
remotertr (cfg-ctypto-map)# set transform-set ts1
remotertr (cfg-ctypto-map)# exit
To get it all to work, the crypto map needs to be applied
to an interface on the router.
On the central office router:
mainrtr(config)# interface ethernet 2
mainrtr(config-if)# cypto map map1
mainrtr(config-if)# exit
On the remote site router:
remotertr(config)# interface ethernet 2
remotertr(config-if)# cypto map map1
remotertr(config-if)# exit
You should now have a working IPSEC tunnel between the two
routers. To get traffic to flow between the two networks,
you would need to set up network address translation (NAT)
to resolve the IP addresses of hosts on the internal
network to that of the connected router's external interface.
Next week's newsletter will discuss the procedure to set up
NAT on the central office router used in this example.