Skip to content

Cisco IPSec Site-to-Site Configuration

December 18, 2011

Prerequisites: IPSec basics

Configuring IPSec site-to-site VPNs on a Cisco router at a basic level isn’t all that complex but it does require a few steps which can get muddied together. An IOS feature set capable of running encryption and VPN tunnels is required. In the ISR line this includes Advanced Security and up. For ISR G2 models, a universal image with a security feature set is needed.

Phase 1

ISAKMP Phase 1 needs to be configured. One Phase 1 tunnel is created per site-to-site VPN. The configuration is pretty straight forward and largely be templated for each configuration.

Router1# configure terminal
Router1(config)# crypto isakmp policy 1
Router1(config-isakmp)# authentication pre-share
Router1(config-isakmp)# hash sha
Router1(config-isakmp)# encryption aes 128
Router1(config-isakmp)# group 2
Router1(config-isakmp)# lifetime 86400
Router1(config-isakmp)# exit
Router1(config)# crypto isakmp key p4ssw0rd  address

The other side of the VPN tunnel needs to be configured with identical commands except for the last line. The address specified is the peer address or the IP the other end of the tunnel is terminated. In this example, Router2’s IP address is used. On Router2, Router1’s external IP address is used:

Router2# configure terminal
Router2(config)# crypto isakmp policy 1
Router2(config-isakmp)# authentication pre-share
Router2(config-isakmp)# hash sha
Router2(config-isakmp)# encryption aes 128
Router2(config-isakmp)# group 2
Router2(config-isakmp)# lifetime 86400
Router2(config-isakmp)# exit
Router2(config)# crypto isakmp key p4ssw0rd  address

If you are confused, here is the breakdown on what each command does:

crypto isakmp policy 1 Sets up a new ISAKMP configuration with the policy priority of 1. When an ISAKMP tunnel is brought up, it tries to find a matching configuration with the peer. It tries the configurations order based on the policy priority with 1 being the first.
authentication pre-share States the key is pre-shared and doesn’t use certificates.
hash sha Specifies SHA-1 should be the integrity algorithm used.
encryption aes 128 Sets the encryption algorithm used to protect the sessoin.
group 2 States DH group 2 (1024 bit) should be used to generate the shared secret.
lifetime 86400 How long the tunnel should stay up for in seconds.

The key must match on both systems as this is the pre-shared key which will allow the Phase 1 tunnel to be instantiated.

Phase 2

Phase 2’s configuration is a little more complex than Phase 1’s. Here is Router1’s Phase 2 configuration:

Router1# configure terminal
Router1(config)# crypto ipsec transform-set SETNAME esp-aes esp-sha
Router1(cfg-crypto-trans)# exit
Router1(config)# access-list 101 permit ip
Router1(config)# crypto map ROUTER1_ROUTER2 10 ipsec-isakmp
Router1(config-crypto-map)# set peer
Router1(config-crypto-map)# match address 101
Router1(config-crypto-map)# set transform-set SETNAME

Router2# configure terminal
Router2(config)# crypto ipsec transform-set SETNAME esp-aes esp-sha
Router2(cfg-crypto-trans)# exit
Router2(config)# access-list 101 permit ip
Router2(config)# crypto map ROUTER1_ROUTER2 10 ipsec-isakmp
Router2(config-crypto-map)# set peer
Router2(config-crypto-map)# match address 101
Router2(config-crypto-map)# set transform-set SETNAME

crypto ipsec transform-set SETNAME esp-aes esp-sha Creates a new IPSec tunnel encryption configuration named SETNAME.
access-list 101 permit ip This access list will be used to match traffic which should be encrypted in the VPN tunnel.
crypto map ROUTER1_ROUTER2 10 ipsec-isakmp Creates a new crypto map named ROUTER1_ROUTER2. The last argument indicates this will be an IPSec connection.
set peer Specifies the IP of the other side of the connection.
match address 101 Associates an access-list with the crypto map. This is the rule which indicates what traffic should traverse the tunnel.
set transform-set SETNAME Associates one or more transform sets to a crypto map.

The last step in this configuration is to assign the crypto map to an interface.

Router1(config)# interface FastEthernet 0/0
Router1(config-if)# crypto map ROUTER1_ROUTER2

If debugging is turned on you will see it is now when ISAKMP is enabled. Do a similar configuration on the other side of the connection and run a ping from an internal address to an internal address on the other side. In this example, ping the subnet from the subnet or visa versa. Make sure routes exist on both routers for this connectivity. The first ping will fail while the VPN tunnel is established but pings after should work.

The connection can also be validated by running a show command:

Router1# show crypto engine connections active
If no entries are shown the connection isn’t established. A successful VPN connection will show three lines.


From → Tutorial

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s