We have two types of IPSEC VPNs: Lan-to-Lan (or site-to-site) encrypted VPN and Remote Access VPN. The first one is extensively used to securely connect distant office networks and the second one for allowing remote users/teleworkers to access resources on a central site network. In this post we will describe briefly a Lan-to-Lan IPSEC VPN and provide a full configuration example with two Cisco IOS Routers using IPSEC.
With IPSEC VPNs, businesses can connect together remote office LANs over the Internet with the strong encryption and security offered by the IPSEC protocol. IPSEC is an IETF security standard. It is basically a suit of several protocols that offer secure communication over insecure paths. It is therefore ideal for connecting securely distant LAN networks over the insecure Internet. We could use a private WAN network with Frame Relay or MPLS connections, which however would bring the cost very high. Instead, with IPSEC VPN we can use cheap Internet connectivity (which will be secured by IPSEC) for communication between our remote sites.
We will be using the example diagram above for the configuration scenario. Generally, there are two Phases for IPSEC VPN:
- Phase 1: In this Phase we configure an ISAKMP policy. This policy establishes an initial secure channel over which further communication will follow. It defines how the ipsec peers will authenticate each other and what security protocols will be used.
- Phase 2: In this Phase we configure a crypto map and crypto transform sets. In general, Phase 2 deals with traffic management of the actual data communication between sites. The transform sets configured here, define what authentication and encryption protocols will be used on the data traffic.
There is a software VPN Configuration Tool which generates a fully working Router configuration (in text format) for site-to-site VPN between Cisco Routers (or even between ASA/PIX Firewalls and Cisco Routers) which can be very handy in many situations requiring the configuration of different Cisco VPN scenarios. For manual site-to-site VPN config check out the following examples.
Let’s see the complete configurations for ROUTER-A and ROUTER-B below:
Configuration for Cisco ROUTER-A:
ROUTER-A#show run
Building configuration…
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-A
!
boot-start-marker
boot-end-marker
!
!
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!— Define Internet Key Exchange (IKE) policy.
crypto isakmp policy 10
!— Specify the 256-bit AES as the
!— encryption algorithm within an IKE policy.
encr aes 256
!— Specify that pre-shared key authentication is used.
authentication pre-share
!— Specify the shared secret.
crypto isakmp key testkey1234 address 200.0.0.1
!
!
!— Define the IPSec transform set.
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!
!— Define crypto map entry name “aesmap” that will use
!— IKE to establish the security associations (SA).
crypto map aesmap 10 ipsec-isakmp
!— Specify remote IPSec peer.
set peer 200.0.0.1
!— Specify which transform sets
!— are allowed for this crypto map entry.
set transform-set aes-sha-transform
!— Name the access list that determines which traffic
!— should be protected by IPSec.
match address acl_vpn
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
ip nat outside
!— Apply crypto map to the outside interface.
crypto map aesmap
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 100.0.0.2
no ip http server
no ip http secure-server
!
ip access-list extended acl_nat
!— Exclude protected traffic from being NAT’ed.
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!— Access list that defines traffic protected by IPSec.
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end
Configuration for Cisco ROUTER-B:
ROUTER-B#show run
Building configuration…
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-B
!
boot-start-marker
boot-end-marker
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!— Define Internet Key Exchange (IKE) policy.
crypto isakmp policy 10
!— Specify the 256-bit AES as the
!— encryption algorithm within an IKE policy.
encr aes 256
!— Specify that pre-shared key authentication is used.
authentication pre-share
!— Specify the shared secret.
crypto isakmp key testkey1234 address 100.0.0.1
!
!
!— Define the IPSec transform set.
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!
!— Define crypto map entry name “aesmap” that will use
!— IKE to establish the security associations (SA).
crypto map aesmap 10 ipsec-isakmp
!— Specify remote IPSec peer.
set peer 100.0.0.1
!— Specify which transform sets
!— are allowed for this crypto map entry.
set transform-set aes-sha-transform
!— Name the access list that determines which traffic
!— should be protected by IPSec.
match address acl_vpn
!
interface FastEthernet0/0
ip address 200.0.0.1 255.255.255.0
ip nat outside
!— Apply crypto map to the outside interface.
crypto map aesmap
!
interface FastEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 200.0.0.2
no ip http server
no ip http secure-server
!
ip access-list extended acl_nat
!— Exclude protected traffic from being NAT’ed.
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
!— Access list that defines traffic protected by IPSec.
ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end
Related posts:
17 Responses to 'Lan-to-Lan IPSEC VPN between two Cisco Routers'
Leave a Reply
Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus
CLICK HERE TO DOWNLOAD EBOOKS
Hey, I was looking around for a while searching for Vpn In Providing Site To Site Security and I happened upon this site and your post regarding Lan IPSEC VPN between two Cisco Routers | CiscoTips, I will definitely this to my Vpn In Providing Site To Site Security bookmarks!
Hi,
I have setup a site-site ipsec tunnel, but is only works if I set my acl_vpn to permit ip any any.
If i set to permit ip x.x.x.x 0.0.0.255 x.x.x.x 0.0.0.255 as I should. I get the error “No peer struct to get peer description” and it does not work.
Do you have any idea why this is?
regards,
Steve
You must have identical but mirrored access lists on the two end ipsec routers. If on the first router you have “permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255″ then on the second router you must have “permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255″.
Make sure also that you reference the correct acl name inside your crypto map.
Hi thnx for the response. I have the correct acl in de crypto mapand they are mirrored, but still I get the error “No peer struct to get peer description” And it only works when I set the acl to permit ip any any and it works fine then but it should work with the acl as the example but it doesn’t.
Don’t know what I’m missing.
regards,
steve
Steve,
Can you please post the part of your configuration related to the ipsec vpn? I need to see it in order to help you.
Thanks
Router-A
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router A
!
boot-start-marker
boot-end-marker
resource policy
!
no aaa new-model
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
no ip dhcp use vrf connected
ip vrf vpn
ip cef
no ip ips deny-action ips-interface
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address 80.x.x.x
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 80.x.x.x
set transform-set 3DES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
!
interface FastEthernet0/0
description connected to Internet
ip address 81.x.x.x 255.255.255.248
duplex auto
speed auto
crypto map VPN-Map-1
!
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
ip default-gateway 81.x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 81.x.x.x
!
!
ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
WITH THIS LINE IS DOES NOT WORK
permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
wITH THIS LINE IS WORKS
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp host 80.x.x.x any eq isakmp
permit esp host 80.x.x.x any
permit udp host 80.x.x.x any eq non500-isakmp
permit ahp host 80.x.x.x any
!
control-plane
!
Router-B
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router B
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
no ip dhcp use vrf connected
!
ip tcp synwait-time 10
no ip ips deny-action ips-interface
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 81.x.x.x
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 81.x.x.x
set transform-set 3DES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
interface FastEthernet0/0
description connected to Internet
ip address 80.x.x.x 255.255.255.224
ip virtual-reassembly
speed auto
full-duplex
crypto map VPN-Map-1
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 172.16.10.1 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
!
ip default-gateway 80.x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 80.x.x.x
ip route 172.16.10.2 255.255.255.255 FastEthernet0/1
!
ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
WITH THIS LINE IT DOES NOT WORK
permit ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
WITH THIS LINE IT WORKS
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp host 81.X.X.X any eq isakmp
permit esp host 81.x.x.x any
permit udp host 81.x.x.x any eq non500-isakmp
permit ahp host 81.x.x.x any
!
logging trap debugging
control-plane
!
scheduler allocate 4000 1000
end
The only strange thing on your configuration is the static route on RouterB which points to an internal host:
ip route 172.16.10.2 255.255.255.255 FastEthernet0/1
The above is not required. Other than that everything else looks ok. When you say it does not work what do you mean? The tunnel does not come up? The traffic does not pass through the tunnel? How do you test if it works or not? Using just ping? Try to send actual traffic from one subnet to the other and not just pinging. Let me know how it goes.
Thanks for the reply.
first of all the the static route can be removed that I know but it should not interfer with the config rigth?
The tunnel does not come up it stays down.
And I get the error which I can’t find the answer to
“No peer struct to get peer description”
So there is not even a chance to check traffic or ping because the tunnel stays down.
It only works for me when I put in permit ip any any.
So that is what I can’t figure out.Why it only works with the permit ip any any and not with the rule intended for this acl.
regards,
Steve
can you send us a debug output. Use “debug crypto isakmp” and then clear the VPN tunnel using:
clear crypto isakmp sa
clear crypto ipsec sa
Then send over the debug output.
Ok Blogadmin thanks very much for the time and support.
I figured out what the problem was. When configured as it should with the correct acl for the crypto map, the vpn stayed down until I generated traffic from the source behind the vpn router. In my case the vpn came up without errors when I generated traffic from the 172.16.10.2. So all a long my problem why the vpn stayed down was that there was no traffic.
thnanks agian,
Steve
I would like to know if someone already configured a VPN with two links balanced. How can I configure if the interfaces were FastEthernet, because I can´t configure multilink and I´ll have two ip address and I need one ip address to configure the peer of VPN.
There should not be any problem to configure VPN if the two interfaces were fastethernet
I have followed this guide as well as several others and setup both my routers according to them but for some reason I cannot see any connection when I do show crypto isakmp sa. I have tried sending traffic from pc’s connected to the lan interfaces but nothing ever comes up. I have the map set on the correct interface and do get the message isakmp is on but neither side shows anything.
This is the config for the above mentioned question:
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router_A
!
boot-start-marker
boot-end-marker
!
memory-size iomem 10
no aaa new-model
ip subnet-zero
ip cef
!
ip dhcp pool LANClients
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
ip audit po max-events 100
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key cisco123 address aaa.bbb.ccc.ddd
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer aaa.bbb.ccc.ddd
set transform-set aes-sha-transform
match address acl_vpn
!
interface Ethernet0/0
description connected to Internet
ip address ddd.ccc.bbb.aaa 255.255.255.224
ip nat outside
half-duplex
crypto map aesmap
!
interface Ethernet0/1
description connected to EthernetLAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
half-duplex
!
router rip
version 2
passive-interface Ethernet0/0
network 192.168.2.0
no auto-summary
!
ip nat pool POOL1 ddd.ccc.bbb.aaa ddd.ccc.bbb.aaa prefix-length 30
ip nat inside source list 1 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
ip access-list extended acl_nat
deny ip 192.168.2.0 0.0.0.255 10.141.185.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 10.141.185.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.141.0.0 0.0.255.255
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_B
!
boot-start-marker
boot-end-marker
!
memory-size iomem 10
no aaa new-model
ip subnet-zero
ip cef
!
ip dhcp excluded-address 10.141.185.1 10.141.185.99
ip dhcp excluded-address 10.141.185.150 10.141.185.255
!
ip dhcp pool Clients
network 10.141.185.0 255.255.255.0
default-router 10.141.185.1
!
ip audit po max-events 100
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key cisco123 address ddd.ccc.bbb.aaa
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer ddd.ccc.bbb.aaa
set transform-set aes-sha-transform
match address acl_vpn
!
interface Ethernet0/0
description connected to Internet
ip address aaa.bbb.ccc.ddd 255.255.255.192
ip nat outside
half-duplex
crypto map aesmap
!
interface Ethernet0/1
description connected to EthernetLAN
ip address 10.141.185.1 255.255.255.0
ip nat inside
half-duplex
!
ip nat pool POOL1 aaa.bbb.ccc.ddd aaa.bbb.ccc.ddd prefix-length 30
ip nat inside source list 1 interface Ethernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
ip access-list extended acl_nat
deny ip 10.141.185.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 10.141.185.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 10.141.185.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 1 permit 10.141.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
!
My friend you have not followed exactly the configuration as shown on my post. You must exclude the vpn traffic from nat.
ip nat inside source list acl_nat interface Ethernet0/0 overload
Admin,
Thanks for the quick reply.
I would like to say I am brand new to Cisco IOS so please forgive my stupidity (past or future).
I added the entry on both routers and still have no activity.
The command show crypto isakmp sa still shows blank. Ive tried sending ping packets to initiate traffic but no luck. Is there anything else I have to do on the routers themselves?
Man Many Many Thanks, I was Confused as to how to go about Allowing IPsec Tunnel While using NAT Since IPsec traffic can’t be natted, I’ve read other blogs but coudn’t get my head around it
but your descritption & config made it a breath..GOD BLESS 