How to configure IPSEC encryption with the Cisco IOS (site to site VPN tunneling)

The OSPF dynamic routing protocol is probably the most popular LAN routing protocol today. OSPF can scale to the largest LANs but can also start out small. While OSPF can be complex to configure, its basic configuration isn’t difficult. Let’s learn how to configure OSPF in the Cisco IOS.

What do you need to know about OSPF?

IPSEC VPN Configuration in the Cisco IOS is not an easy task. For even experienced IT Pros, if you have never configured a Cisco IOS VPN, attempting to configure it can be frustrating and complex. In this article, we will look at a working Cisco IOS IPSEC VPN configuration and dissect the important parts to help you understand this very useful configuration.

What is an IPSEC VPN?

IPSec (or IP Security) offers methods to authenticate and encrypt IP traffic as if traverses a network. By doing this, that traffic can remain secure in transit. VPN (or virtual private networks) are created when network traffic is tunneled through another network. In our case, we are using IPSec to encrypt the VPN tunnel.

A site to site VPN tunnel is just a VPN tunnel that is, usually, permanently connected and used to connect two networks through another network (usually through the Internet). The Cisco router IOS can be used to create a site to site VPN tunnel using IPSec. You could connect a Cisco IOS router to another router, a Cisco PIX, Cisco ASA, or other brand of router/firewall. You should note that the IPSEC/FW edition of the Cisco IOS is required to perform the VPN (crypto) commands shown below.

Our Sample IPSec VPN Configuration in the Cisco IOS

Here is a sample Cisco IOS site to site VPN configuration using IPSEC for encryption:

interface E0/0ip address 192.168.1.254 255.255.255.0

interface Fa3/0ip address 2.2.2.2 255.255.255.0

crypto isakmp policy 1 encryption 3desauthentication pre-share crypto isakmp key secretpassword address 1.1.1.1 crypto ipsec transform-set mytransformset esp-3des esp-md5-hmac access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 crypto map Cryptomap1 10 ipsec-isakmp set peer 1.1.1.1 set transform-set mytransformset match address 101

interface Fa3/0 crypto map Cryptomap1

Now, let’s examine this configuration with the goal of helping you to understand it, be able to implement it, and troubleshoot it.

Our Sample IPSec VPN Configuration in the Cisco IOS – Explained

Let’s start from the top of the configuration and go down.

1. The crypto policy– used to define what the ISAKMP security settings will be between these two peers. In our example, we set the policy to use IPSEC (with the 3des encryption) and the authentication is set to pre-shared.

2. The crypto key – used as the pre-shared key between the two routers forming the IPSec VPN

3. The ipsec transform-set – used to set the IPSec encryption settings between the two routers forming the IPSec VPN

4. The Access-list – the ACL is very important as it defines what traffic is and is not encrypted between the two routers. If the traffic is not permitted in the ACL, that traffic is not encrypted.

5. Creating the crypto-map – the crypto-map is what brings the policy, key, transform-set, and access-list all together. You define the name of the crypto-map and that name is then used to apply the crypto-map to the interface.

6. The crypto map command – you will notice on the Fa3/0 interface the crypto map {cryptomap1} statement. This is the last statement that should be added to the configuration. This is where the VPN tunnel is actually applied. Applying this enables the tunnel. Notice how the crypto map has a name (which we named “Cryptomap1”). Crypto-maps can have many line numbers. Notice the “10” above, that shows that we are configuring line 10 of the crypto-map. From there, you could add lines 20, 30, and so on.

When the router boots up, the VPN is down. The encrypted tunnel is formed when the first packet is sent that matches the ACL.

The router that this router is connecting to, on the other side of the tunnel, would have all the same settings except the IP addressing would be reversed.

Also, don’t forget to allow the following into your Access-list or firewall, coming into your router, from the Internet. access-list 150 permit udp host 1.1.1.1 any eq isakmp access-list 150 permit esp host 1.1.1.1 any

You can use the show crypto command to view your crypto maps.

For more information on configuring Cisco IOS VPNs and crypto-maps, see the official Cisco documentation.

In Summary

In this article, we learned what an IPSec site-to-site VPN is and we showed a working configuration. From there we dissected that configuration, line by line, to help you understand it. IPSec VPNs are critical connections for most businesses today. Undoubtedly, you will come across a Cisco IOS VPN configuration at some point. Being able to quickly comprehend and troubleshoot these complex configuration just might save your day!

To learn more about Cisco networking, consider the Train Signal CCNA Video Training package!