Configuring a site-to-site VPN between two Cisco routers

A site to site Virtual Private Network (VPN) allows you to maintain a secure, always-on connection between two physically separate locations on an unsecured network exist, such as the public Internet. The traffic between the two positions is through an encrypted tunnel to prevent snooping attacks or other types of data transfer.

This configuration requires IOS software image that supports encryption. Used in the examplesC870-advipservicesk9-mz.124-15.T6.bin.

There are various protocols used to create the VPN digest, including the protocols used to exchange keys between peers, the encryption can be used to tunnel and hashing technologies to create the message.

VPN Protocols

IPSec: Internet Protocol Security (IPSec) is a suite of protocols that are used to manage IP communications are secure. IPSec provides for the exchange of encryption keys and tunnels. You can think of IPSec as a frameworkfor the implementation of security measures. When you create a VPN IPSec, you can choose from a variety of security technologies to implement tunnels.

ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides a means for authentication of the parties in a secure communication. It typically uses the Internet Key Exchange (IKE), but other technologies can also be used. A public key or a pre-shared key used to authenticate the parties to the communication.

MD5:Message-Digest Algorithm 5 (MD5) is often used but sometimes insecure cryptographic hash function with a hash value of 128 bits. A cryptographic hash function is a possibility in every block of data and the return of a bit string of fixed size and the hash of the original block of data. The hashing procedure is designed so that changes to the data changes, the hash value. The hash value is to digest as the message.

SHA: Secure Hash Algorithm (SHA) is a set ofcryptographic hash functions of the National Security Agency (NSA) has developed. The three SHA algorithms were structured differently and are called SHA-0, SHA-1 and SHA-2. SHA-1 hashing algorithm is a commonly used with a standard 160-bit key.

ESP: Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite, the authenticity of the origin, integrity and confidentiality of packages is available. ESP also supports encryption and authentication only pureConfigurations of encryption, but without using authentication is strongly discouraged because it is not safe. Unlike the other protocol IPsec Authentication Header (AH), ESP is not to protect the IP packet header. This difference does ESP use in a preferred configuration of Network Address Translation. ESP works directly over IP, IP protocol number 50 with

DES: Data Encryption Standard (DES) offers 56-bit encryption. There is nothing more than a security protocol, because itsshort key length makes it vulnerable to brute force.

3DES: Triple DES has been developed to overcome the limitations and weaknesses of using three different DES keys in 56-bit encryption, encryption and decryption surgery. 3DES 168-bit key length. With the use of 3DES, the data is encrypted first with a 56-bit key, then decrypted with another key of 56 bits, the output is then encrypted with a third 56-bit key.

AES: Advanced Encryption Standard(AES) was designed as a replacement for DES and 3DES. It 'available in sizes of keys and is generally faster than 3DES about six years.

HMAC: The hash message authentication code (HMAC) is a kind of Message Authentication Code (MAC). HMAC uses a special algorithm, a cryptographic hash function in combination with a secret key.

Configuring a Site-to-site VPN

Configuring a site-to-site VPNin several stages:

Phase One configuration includes the configuration of the key exchange. This process uses the ISAKMP hash algorithm and authentication method for identification. And 'one of two places where we recognize the peer at the opposite end of the tunnel must. In this example, we have established ourselves as a hash algorithm SHA because of its robust nature, including 160-bit key. Vpnkey The key must be identical on both ends of the tunnel. The address "192.168.16.105" is out thereInterface of the router at the other end of the tunnel.

Example of a configuration phase:

Tukwila (config) # crypto ISAKMP EU 10
Tukwila (ISAKMP config) # hash SHA
Tukwila (ISAKMP config) # authentication pre-share
Tukwila (ISAKMP config) # ISAKMP encryption key vpnkey address 192.168.16.105

Phase Two configuration includes the configuration of the encrypted tunnel. In phase two build configuration and rename it to turn a phrase that identifies the encryption used to create protocolsthe secure tunnel. You must also send a crypto map, where you recognize the peer at the opposite end of the tunnel, enter the set of transformation must be used, and determine which access control lists will identify the traffic allowed. In this example we chose AES because of its greater security and better performance. The statement "set peer 192.168.16.25" refers to the external interface of the router at the other end of the tunnel. The statement "set vpnset transform-set" tells the routerparameters for the processing of vpnset use specified in this tunnel. The 'Match address 100 "statement is used to use the tunnel access-list 100, which are defined later.

Example of phase two configuration:

Tukwila (config) # crypto ipsec transform-set ESP-AES-HMAC-SHA esp vpnset
Tukwila (CFG-crypto-trans) # exit
Tukwila (config) # crypto map 10 ipsec ISAKMP vpnset
% Note: This new crypto map will remain disabled until a peer
and a valid access list have beenconfigured.
Tukwila (config-crypto-map) # set peer 192.168.16.105
Tukwila (config-crypto-map) # set transform-set vpnset
Tukwila (config-crypto-map) # match address 100

The crypto map must be applied to the external interface (in this example, the interface FastEthernet 4):

Tukwila (config) # int f4
Tukwila (config-if) # crypto map vpnset

You must explicitly allows a checklist of traffic from the router on the LAN through the tunnel to the other router insideLAN (in this example, the router is Tukwila's inside LAN address of 10.10.10.0/24 and other routers in the network 10.20.0.0/24 LAN address):

Tukwila (config) # access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255

(For more information about the syntax of access control lists, see the other items, create and manage a Cisco router Access Control List).

You also need a default gateway ("Gateway of last resort," as known). InIn this example uses the default gateway to 192.168.16.1:

Tukwila (config) # ip route 0.0.0.0 0.0.0.0 192.168.16.1

Check VPN

The following two commands can be used to control VPN connections:

Router # show crypto IPsec SA
This command displays the settings of the current security associations (SA) is used.

Router # show crypto ISAKMP SA
This command displays the current IKE security associations.

Troubleshooting VPNConnections

After confirmation of the physical connectivity, audit both ends of the VPN connection so that they reflect.

Use the debugger to analyze problems of VPN connection:

Router # debug crypto ISAKMP
This command allows you to monitor the Phase 1 ISAKMP negotiations.