Networks Training

You are here: Home / Cisco Routers / Lan-to-Lan IPSEC VPN Between Cisco Routers – Configuration Example

Lan-to-Lan IPSEC VPN Between Cisco Routers – Configuration Example

Written By

We have two types of IPSEC VPNs: Lan-to-Lan (or site-to-site) encrypted VPN and Remote Access VPN.

The first one is extensively used to securely connect distant office networks and the second one for allowing remote users/teleworkers to access resources on a central site network.

In this post we will describe briefly a Lan-to-Lan IPSEC VPN and provide a full configuration example with two Cisco IOS Routers using IPSEC. Have in mind also that site-to-site IPSEC VPN can also be configured on Cisco ASA firewalls as I have described here.

With IPSEC VPNs, businesses can connect together remote office LANs over the Internet with the strong encryption and security offered by the IPSEC protocol.

IPSEC is an IETF security standard. It is basically a suit of several protocols that offer secure communication over insecure paths.

It is therefore ideal for connecting securely distant LAN networks over the insecure Internet. We could use a private WAN network with Frame Relay or MPLS connections, which however would bring the cost very high. Another modern option of course is to use an SD-WAN technology which again uses the public Internet for reduced cost. 

Instead, with IPSEC VPN we can use cheap Internet connectivity (which will be secured by IPSEC) for communication between our remote sites.

Network Diagram

lan to lan ipsec vpn between two cisco routers

We will be using the example diagram above for the configuration scenario. Generally, there are two Phases for IPSEC VPN:

  • Phase 1: In this Phase we configure an ISAKMP policy. This policy establishes an initial secure channel over which further communication will follow. It defines how the ipsec peers will authenticate each other and what security protocols will be used.
  • Phase 2: In this Phase we configure a crypto map and crypto transform sets. In general, Phase 2 deals with traffic management of the actual data communication between sites. The transform sets configured here, define what authentication and encryption protocols will be used on the data traffic.
MORE READING:  How to Configure DHCP on Cisco Routers (With Command Examples)

Configuration Example

For IPSEC site-to-site VPN configuration check out the following example. One important point to keep in mind is NAT configuration.

In most real networks, the border router which connects the site to the Internet is used also for terminating the IPSEC VPN tunnel.

This border router must also perform NAT in order to provide access to the private LAN IP addresses to the Internet.

However, IPSEC does not work with NAT. Therefore, we need to create a NAT exemption rule for the traffic going from Site1 to Site2 (and vica-versa) in order to disable NAT for the traffic which is going to pass through the IPSEC tunnel.

Let’s see the complete configurations for ROUTER-A and ROUTER-B below:

Configuration of Cisco ROUTER-A:

ROUTER-A#show run
Building configuration…

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-A
!
boot-start-marker
boot-end-marker
!
!
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!— Define Internet Key Exchange (IKE) policy.

crypto isakmp policy 10

!— Specify the 256-bit AES as the
!— encryption algorithm within an IKE policy.

encr aes 256

!— Specify that pre-shared key authentication is used.

authentication pre-share

!— Specify the shared secret.

crypto isakmp key testkey1234 address 200.0.0.1
!
!

!— Define the IPSec transform set.

crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!

!— Define crypto map entry name “aesmap” that will use
!— IKE to establish the security associations (SA).

crypto map aesmap 10 ipsec-isakmp

!— Specify remote IPSec peer.

set peer 200.0.0.1

!— Specify which transform sets
!— are allowed for this crypto map entry.

set transform-set aes-sha-transform

!— Name the access list that determines which traffic
!— should be protected by IPSec.

match address acl_vpn
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
ip nat outside

!— Apply crypto map to the outside interface.
crypto map aesmap
!

interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside

ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 100.0.0.2
no ip http server
no ip http secure-server
!

MORE READING:  How to Configure Cisco 800 Series Router Configuration for Internet Access

ip access-list extended acl_nat

!— Exclude protected traffic from being NAT’ed.

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

!— Access list that defines traffic protected by IPSec.

ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end

Configuration of Cisco ROUTER-B:

ROUTER-B#show run
Building configuration…

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-B
!
boot-start-marker
boot-end-marker
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!— Define Internet Key Exchange (IKE) policy.

crypto isakmp policy 10

!— Specify the 256-bit AES as the
!— encryption algorithm within an IKE policy.

encr aes 256

!— Specify that pre-shared key authentication is used.

authentication pre-share

!— Specify the shared secret.

crypto isakmp key testkey1234 address 100.0.0.1
!
!

!— Define the IPSec transform set.

crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!

!— Define crypto map entry name “aesmap” that will use
!— IKE to establish the security associations (SA).

crypto map aesmap 10 ipsec-isakmp

!— Specify remote IPSec peer.

set peer 100.0.0.1

!— Specify which transform sets
!— are allowed for this crypto map entry.

set transform-set aes-sha-transform

!— Name the access list that determines which traffic
!— should be protected by IPSec.

match address acl_vpn
!
interface FastEthernet0/0
ip address 200.0.0.1 255.255.255.0
ip nat outside

!— Apply crypto map to the outside interface.
crypto map aesmap
!

interface FastEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside

ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 200.0.0.2
no ip http server
no ip http secure-server
!

ip access-list extended acl_nat

!— Exclude protected traffic from being NAT’ed.

deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any

!— Access list that defines traffic protected by IPSec.

ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end

Related Posts

Filed Under: Cisco Routers

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Daniel Craig says

    Hey, I was looking around for a while searching for Vpn In Providing Site To Site Security and I happened upon this site and your post regarding Lan IPSEC VPN between two Cisco Routers | CiscoTips, I will definitely this to my Vpn In Providing Site To Site Security bookmarks!

  2. Steve says

    Hi,

    I have setup a site-site ipsec tunnel, but is only works if I set my acl_vpn to permit ip any any.
    If i set to permit ip x.x.x.x 0.0.0.255 x.x.x.x 0.0.0.255 as I should. I get the error “No peer struct to get peer description” and it does not work.
    Do you have any idea why this is?

    regards,
    Steve

  3. BlogAdmin says

    You must have identical but mirrored access lists on the two end ipsec routers. If on the first router you have “permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255” then on the second router you must have “permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255”.

    Make sure also that you reference the correct acl name inside your crypto map.

  4. Steve says

    Hi thnx for the response. I have the correct acl in de crypto mapand they are mirrored, but still I get the error “No peer struct to get peer description” And it only works when I set the acl to permit ip any any and it works fine then but it should work with the acl as the example but it doesn’t.
    Don’t know what I’m missing.

    regards,

    steve

  5. BlogAdmin says

    Steve,

    Can you please post the part of your configuration related to the ipsec vpn? I need to see it in order to help you.

    Thanks

  6. Steve says

    Router-A

    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Router A
    !
    boot-start-marker
    boot-end-marker
    resource policy
    !
    no aaa new-model
    memory-size iomem 15
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip subnet-zero
    no ip dhcp use vrf connected
    ip vrf vpn
    ip cef
    no ip ips deny-action ips-interface
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key ********** address 80.x.x.x
    crypto isakmp invalid-spi-recovery
    !
    !
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
    crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
    !
    crypto map VPN-Map-1 10 ipsec-isakmp
    set peer 80.x.x.x
    set transform-set 3DES-SHA-compression
    set pfs group2
    match address Crypto-list
    !
    !
    !
    !
    interface FastEthernet0/0
    description connected to Internet
    ip address 81.x.x.x 255.255.255.248
    duplex auto
    speed auto
    crypto map VPN-Map-1
    !
    !
    interface FastEthernet0/1
    description connected to EthernetLAN
    ip address 10.10.10.1 255.255.255.0
    duplex auto
    speed auto
    !
    ip default-gateway 81.x.x.x
    ip classless
    ip route 0.0.0.0 0.0.0.0 81.x.x.x
    !
    !
    ip http server
    no ip http secure-server
    !
    ip access-list extended Crypto-list
    WITH THIS LINE IS DOES NOT WORK
    permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
    wITH THIS LINE IS WORKS
    permit ip any any

    ip access-list extended Internet-inbound-ACL
    permit udp host 80.x.x.x any eq isakmp
    permit esp host 80.x.x.x any
    permit udp host 80.x.x.x any eq non500-isakmp
    permit ahp host 80.x.x.x any
    !
    control-plane
    !

    Router-B

    version 12.4
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname router B
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    !
    no aaa new-model
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    !
    no ip dhcp use vrf connected
    !
    ip tcp synwait-time 10
    no ip ips deny-action ips-interface
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key ******** address 81.x.x.x
    crypto isakmp invalid-spi-recovery
    !
    !
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
    crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
    !
    crypto map VPN-Map-1 10 ipsec-isakmp
    set peer 81.x.x.x
    set transform-set 3DES-SHA-compression
    set pfs group2
    match address Crypto-list
    !
    !
    !
    interface FastEthernet0/0
    description connected to Internet
    ip address 80.x.x.x 255.255.255.224
    ip virtual-reassembly
    speed auto
    full-duplex
    crypto map VPN-Map-1
    !
    interface FastEthernet0/1
    description connected to EthernetLAN
    ip address 172.16.10.1 255.255.255.0
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    !
    ip default-gateway 80.x.x.x
    ip classless
    ip route 0.0.0.0 0.0.0.0 80.x.x.x
    ip route 172.16.10.2 255.255.255.255 FastEthernet0/1
    !
    ip http server
    no ip http secure-server
    !
    ip access-list extended Crypto-list

    WITH THIS LINE IT DOES NOT WORK
    permit ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255

    WITH THIS LINE IT WORKS
    permit ip any any

    ip access-list extended Internet-inbound-ACL
    permit udp host 81.X.X.X any eq isakmp
    permit esp host 81.x.x.x any
    permit udp host 81.x.x.x any eq non500-isakmp
    permit ahp host 81.x.x.x any
    !
    logging trap debugging

    control-plane

    !
    scheduler allocate 4000 1000
    end

  7. BlogAdmin says

    The only strange thing on your configuration is the static route on RouterB which points to an internal host:
    ip route 172.16.10.2 255.255.255.255 FastEthernet0/1
    The above is not required. Other than that everything else looks ok. When you say it does not work what do you mean? The tunnel does not come up? The traffic does not pass through the tunnel? How do you test if it works or not? Using just ping? Try to send actual traffic from one subnet to the other and not just pinging. Let me know how it goes.

  8. Steve says

    Thanks for the reply.

    first of all the the static route can be removed that I know but it should not interfer with the config rigth?

    The tunnel does not come up it stays down.
    And I get the error which I can’t find the answer to
    “No peer struct to get peer description”

    So there is not even a chance to check traffic or ping because the tunnel stays down.
    It only works for me when I put in permit ip any any.

    So that is what I can’t figure out.Why it only works with the permit ip any any and not with the rule intended for this acl.

    regards,

    Steve

  9. BlogAdmin says

    can you send us a debug output. Use “debug crypto isakmp” and then clear the VPN tunnel using:
    clear crypto isakmp sa
    clear crypto ipsec sa
    Then send over the debug output.

  10. Steve says

    Ok Blogadmin thanks very much for the time and support.

    I figured out what the problem was. When configured as it should with the correct acl for the crypto map, the vpn stayed down until I generated traffic from the source behind the vpn router. In my case the vpn came up without errors when I generated traffic from the 172.16.10.2. So all a long my problem why the vpn stayed down was that there was no traffic.

    thnanks agian,

    Steve

  11. Aline says

    I would like to know if someone already configured a VPN with two links balanced. How can I configure if the interfaces were FastEthernet, because I can´t configure multilink and I´ll have two ip address and I need one ip address to configure the peer of VPN.

  12. Dave says

    There should not be any problem to configure VPN if the two interfaces were fastethernet

  13. Kunal says

    I have followed this guide as well as several others and setup both my routers according to them but for some reason I cannot see any connection when I do show crypto isakmp sa. I have tried sending traffic from pc’s connected to the lan interfaces but nothing ever comes up. I have the map set on the correct interface and do get the message isakmp is on but neither side shows anything.

  14. Kunal says

    This is the config for the above mentioned question:

    version 12.3
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Router_A
    !
    boot-start-marker
    boot-end-marker
    !
    memory-size iomem 10
    no aaa new-model
    ip subnet-zero
    ip cef
    !
    ip dhcp pool LANClients
    network 192.168.2.0 255.255.255.0
    default-router 192.168.2.1
    !
    ip audit po max-events 100
    !
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    crypto isakmp key cisco123 address aaa.bbb.ccc.ddd
    !
    crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
    !
    crypto map aesmap 10 ipsec-isakmp
    set peer aaa.bbb.ccc.ddd
    set transform-set aes-sha-transform
    match address acl_vpn
    !
    interface Ethernet0/0
    description connected to Internet
    ip address ddd.ccc.bbb.aaa 255.255.255.224
    ip nat outside
    half-duplex
    crypto map aesmap
    !
    interface Ethernet0/1
    description connected to EthernetLAN
    ip address 192.168.2.1 255.255.255.0
    ip nat inside
    half-duplex
    !
    router rip
    version 2
    passive-interface Ethernet0/0
    network 192.168.2.0
    no auto-summary
    !
    ip nat pool POOL1 ddd.ccc.bbb.aaa ddd.ccc.bbb.aaa prefix-length 30
    ip nat inside source list 1 interface Ethernet0/0 overload
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Ethernet0/0
    !
    ip access-list extended acl_nat
    deny ip 192.168.2.0 0.0.0.255 10.141.185.0 0.0.0.255
    permit ip 192.168.2.0 0.0.0.255 any
    ip access-list extended acl_vpn
    permit ip 192.168.2.0 0.0.0.255 10.141.185.0 0.0.0.255
    access-list 1 permit 192.168.0.0 0.0.255.255
    access-list 1 permit 10.141.0.0 0.0.255.255

    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router_B
    !
    boot-start-marker
    boot-end-marker
    !
    memory-size iomem 10
    no aaa new-model
    ip subnet-zero
    ip cef
    !
    ip dhcp excluded-address 10.141.185.1 10.141.185.99
    ip dhcp excluded-address 10.141.185.150 10.141.185.255
    !
    ip dhcp pool Clients
    network 10.141.185.0 255.255.255.0
    default-router 10.141.185.1
    !
    ip audit po max-events 100
    !
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    crypto isakmp key cisco123 address ddd.ccc.bbb.aaa
    !
    crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
    !
    crypto map aesmap 10 ipsec-isakmp
    set peer ddd.ccc.bbb.aaa
    set transform-set aes-sha-transform
    match address acl_vpn
    !
    interface Ethernet0/0
    description connected to Internet
    ip address aaa.bbb.ccc.ddd 255.255.255.192
    ip nat outside
    half-duplex
    crypto map aesmap
    !
    interface Ethernet0/1
    description connected to EthernetLAN
    ip address 10.141.185.1 255.255.255.0
    ip nat inside
    half-duplex
    !
    ip nat pool POOL1 aaa.bbb.ccc.ddd aaa.bbb.ccc.ddd prefix-length 30
    ip nat inside source list 1 interface Ethernet0/0 overload
    ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Ethernet0/0
    !
    ip access-list extended acl_nat
    deny ip 10.141.185.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit ip 10.141.185.0 0.0.0.255 any
    ip access-list extended acl_vpn
    permit ip 10.141.185.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 1 permit 10.141.0.0 0.0.255.255
    access-list 1 permit 192.168.0.0 0.0.255.255
    !

  15. Blog Admin says

    My friend you have not followed exactly the configuration as shown on my post. You must exclude the vpn traffic from nat.

    ip nat inside source list acl_nat interface Ethernet0/0 overload

  16. Kunal says

    Admin,

    Thanks for the quick reply.

    I would like to say I am brand new to Cisco IOS so please forgive my stupidity (past or future).

    I added the entry on both routers and still have no activity.
    The command show crypto isakmp sa still shows blank. Ive tried sending ping packets to initiate traffic but no luck. Is there anything else I have to do on the routers themselves?

  17. SamAwatif says

    Man Many Many Thanks, I was Confused as to how to go about Allowing IPsec Tunnel While using NAT Since IPsec traffic can’t be natted, I’ve read other blogs but coudn’t get my head around it :-( but your descritption & config made it a breath..GOD BLESS :-)

  18. Gagan says

    im very new to cisco Can you help me on this i have to configure site to site vpn with 2 cisco router. Router A using ADSL internet connection (Dynamic IP Address, ADSL modem lan port connected to fe0) connected on fe0 in brigemode. Router A Internal Subnet 172.16.1.0/24 Connected on fe1. Router B using Broadband (RJ45) internet connection (Dynamic IP Address) connected on Fe0. Router B Internal Subnet 192.168.1.0/24 connected on fe1 . both router hav nat overload enabled.
    Thanks

  20. Tim says

    Hi i followed the instructions, once i got UP-Idle, once i cleared the session the status went from negotiating to DOWN and i keep getting: No peer struct to get peer description

    can you please shed some light?

  21. Blog Admin says

    Tim,
    This might have to do with your VPN ACL which is applied in the crypto map. The two VPN ALCs on the two sites must be exactly mirror of each other.

    Post the config here to take a look.

    Harris

  22. Tim says

    Hi Harris,

    Thanks, for the quick replay, even Cisco Tac wouldn’t had responded so fast :)
    I’m sure your way works well, but after going back and forth all day, i chose a different path and it does not requires a NAT/ACL..

    Created a tunnel interface and defined a static route using tunnel0 int.

    I’ll try your method on my other two routers in my LAB! SO i can get both methods working for my own knowledge..

    based on this Cisco doc.

  23. Blog Admin says

    Yeah, using the VTI with IPSEC is a good option as well (VTIs are very flexible also)….good luck

    Harris

  24. J B says

    !–add another site to ROUTER-A (assumes you use the same interface w/multiple vpns)
    !– this additional site (ROUTER-C) has a WAN IP 300.0.0.1 LAN IP 192.168.3.0/24
    !– (note: you can use a new key if you wish)
    crypto isakmp key testkey1234 address 300.0.0.1

    !– add to
    set peer 300.0.0.1

    !– add to
    deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

    !– add to
    permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

    !– ROUTER-C comments nearly identical to ROUTER-B
    !– Change IP address’ on interfaces for WAN and LAN
    !–WAN IP 300.0.0.1 LAN IP 192.168.3.0/24
    !– change deny and permit statements for acl_nat and acl_vpn
    !– instead of 192.168.2.0 use 192.168.3.0
    !– if you did change the pre-authentication key on Router-A,
    !– you’ll need to ensure its the same on Router-C, see below:
    !!– crypto isakmp key testkey1234 address 100.0.0.1

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx