For all those wondering how many total CCIE certified engineers exist in the world, the latest number we know is 18084 (as of 10/10/2008). It is amazing that 89% of those (16019) are Routing and Switching CCIEs with the second choice being the Security CCIE (1828). All the numbers by certification track are shown below:
  

We have two types of IPSEC VPNs: Lan-to-Lan (or site-to-site) encrypted VPN and Remote Access VPN. The first one is extensively used to securely connect distant office networks and the second one for allowing remote users/teleworkers to access resources on a central site network. In this post we will describe briefly a Lan-to-Lan IPSEC VPN and provide a full configuration example with two Cisco IOS Routers using IPSEC.

With IPSEC VPNs, businesses can connect together remote office LANs over the Internet with the strong encryption and security offered by the IPSEC protocol. IPSEC is an IETF security standard. It is basically a suit of several protocols that offer secure communication over insecure paths. It is therefore ideal for connecting securely distant LAN networks over the insecure Internet. We could use a private WAN network with Frame Relay or MPLS connections, which however would bring the cost very high. Instead, with IPSEC VPN we can use cheap Internet connectivity (which will be secured by IPSEC) for communication between our remote sites.

We will be using the example diagram above for the configuration scenario. Generally, there are two Phases for IPSEC VPN:

• Phase 1: In this Phase we configure an ISAKMP policy. This policy establishes an initial secure channel over which further communication will follow. It defines how the ipsec peers will authenticate each other and what security protocols will be used.
• Phase 2: In this Phase we configure a crypto map and crypto transform sets. In general, Phase 2 deals with traffic management of the actual data communication between sites. The transform sets configured here, define what authentication and encryption protocols will be used on the data traffic.

There is a software VPN Configuration Tool which generates a fully working Router configuration (in text format) for site-to-site VPN between Cisco Routers (or even between ASA/PIX Firewalls and Cisco Routers) which can be very handy in many situations requiring the configuration of different Cisco VPN scenarios. For manual site-to-site VPN config check out the following examples.

Let’s see the complete configurations for ROUTER-A and ROUTER-B below:

Configuration for Cisco ROUTER-A:

ROUTER-A#show run
Building configuration…

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-A
!
boot-start-marker
boot-end-marker
!
!
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!— Define Internet Key Exchange (IKE) policy.

crypto isakmp policy 10

!— Specify the 256-bit AES as the
!— encryption algorithm within an IKE policy.

encr aes 256

!— Specify that pre-shared key authentication is used.

authentication pre-share

!— Specify the shared secret.

crypto isakmp key testkey1234 address 200.0.0.1
!
!

!— Define the IPSec transform set.

crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!

!— Define crypto map entry name “aesmap” that will use
!— IKE to establish the security associations (SA).

crypto map aesmap 10 ipsec-isakmp

!— Specify remote IPSec peer.

set peer 200.0.0.1

!— Specify which transform sets
!— are allowed for this crypto map entry.

set transform-set aes-sha-transform

!— Name the access list that determines which traffic
!— should be protected by IPSec.

match address acl_vpn
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
ip nat outside

!— Apply crypto map to the outside interface.
crypto map aesmap
!

interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside

ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 100.0.0.2
no ip http server
no ip http secure-server
!

ip access-list extended acl_nat

!— Exclude protected traffic from being NAT’ed.

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

!— Access list that defines traffic protected by IPSec.

ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end

Configuration for Cisco ROUTER-B:

ROUTER-B#show run
Building configuration…

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-B
!
boot-start-marker
boot-end-marker
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!— Define Internet Key Exchange (IKE) policy.

crypto isakmp policy 10

!— Specify the 256-bit AES as the
!— encryption algorithm within an IKE policy.

encr aes 256

!— Specify that pre-shared key authentication is used.

authentication pre-share

!— Specify the shared secret.

crypto isakmp key testkey1234 address 100.0.0.1
!
!

!— Define the IPSec transform set.

crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!

!— Define crypto map entry name “aesmap” that will use
!— IKE to establish the security associations (SA).

crypto map aesmap 10 ipsec-isakmp

!— Specify remote IPSec peer.

set peer 100.0.0.1

!— Specify which transform sets
!— are allowed for this crypto map entry.

set transform-set aes-sha-transform

!— Name the access list that determines which traffic
!— should be protected by IPSec.

match address acl_vpn
!
interface FastEthernet0/0
ip address 200.0.0.1 255.255.255.0
ip nat outside

!— Apply crypto map to the outside interface.
crypto map aesmap
!

interface FastEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside

ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 200.0.0.2
no ip http server
no ip http secure-server
!

ip access-list extended acl_nat

!— Exclude protected traffic from being NAT’ed.

deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any

!— Access list that defines traffic protected by IPSec.

ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end

Cisco IOS Routers support application traffic classification using the Network Based Application Recognition (NBAR) feature. This brings application intelligence to the Layer 3 router device, putting more value into your network infrastructure. NBAR is usually used for classifying mission critical applications in order to apply Quality of Service and bandwidth guarantees in the network.

Another useful implementation of NBAR is to identify and block peer-to-peer file sharing applications which are difficult to restrict by just Access Control Lists. These applications are intelligent enough to use different communication ports in order to bypass firewalls and ACL restrictions. With NBAR, you can identify them on the application layer which is much more effective.

The protocols/applications supported by NBAR depend on the IOS version you are running. If your current IOS version does not support a specific application or protocol, you can download extra PDLM files from Cisco, which add support for additional applications and protocols. These PDLM files can be stored on the router flash and accessed by router(config)# ip nbar pdlm flash:// pdlm-name
To see what NBAR protocols are supported in your current IOS, use the command match protocol ? and see the options that appear (this is under the class-map command).

Lets see an example configuration below:

!Assume the following p-to-p applications are not supported and we have downloaded

! the appropriate PDLMs

Router(config) # ip nbar pdlm flash://kazaa2.pdlm
Router(config) # ip nbar pdlm flash://bittorrent.pdlm
Router(config) # ip nbar pdlm flash://gnutella.pdlm
Router(config) # ip nbar pdlm flash://eDonkey.pdlm

! configure a class-map to identify traffic

Router(config) # class-map match-any peer-to-peer
Router(config-cmap) # match protocol gnutella
Router(config-cmap) # match protocol kazaa2
Router(config-cmap) # match protocol napster
Router(config-cmap) # match protocol fasttrack
Router(config-cmap) # match protocol novadigm
Router(config-cmap) # match protocol edonkey
Router(config-cmap) # match protocol bittorrent

! Apply action to the traffic using a policy map

Router(config)# policy-map drop-peer-to-peer
Router(config-pmap)# class peer-to-peer
Router(config-pmap)# drop

! Apply the policy to the interface facing the internal LAN network

Router(config)# Interface fastethernet 0/0
Router(config-if)# ip nbar protocol-discovery
Router(config-if)# service-policy input drop-peer-to-peer