Configuring Dynamic Point-to-Point IPsec VTI Tunnels

Here’s the topology that I’m going to use to configure dynamic point-to-point IPsec VTI VPN tunnel. R1 is the Hub router, R2 is the Spoke router.

Topology

1. First step, create an isakmp policy on both routers as follows:

Hub(config)#crypto isakmp policy 100
Hub(config-isakmp)#encryption aes 128
Hub(config-isakmp)#authentication pre-share
Hub(config-isakmp)#hash sha
Hub(config-isakmp)#group 2
Hub(config-isakmp)#lifetime 86400
Hub(config-isakmp)#exit
Hub(config)#

step 1 - 1

Spoke(config)#crypto isakmp policy 100
Spoke(config-isakmp)#encryption aes 128
Spoke(config-isakmp)#authentication pre-share
Spoke(config-isakmp)#hash sha
Spoke(config-isakmp)#group 2
Spoke(config-isakmp)#lifetime 86400
Spoke(config-isakmp)#exit
Spoke(config)#

step 1 - 2

2. Create a keyring containing on the Hub. Also specify the pre-shared key on the Spoke

Hub(config)#crypto keyring KEYRING
Hub(conf-keyring)#pre-shared-key address 192.168.1.2 key 0 cisco
Hub(conf-keyring)#exit
Hub(config)#

step 2 - 1

Spoke(config)#crypto isakmp key 0 cisco address 192.168.1.1

step 2 - 2

3. Next, create an IPsec transform set on both the routers

Hub(config)#crypto ipsec transform-set TRANS esp-aes 128 esp-sha-hmac
Hub(cfg-crypto-trans)#mode tunnel
Hub(cfg-crypto-trans)#exit
Hub(config)#

step 3 - 1

Spoke(config)#crypto ipsec transform-set TRANS esp-aes 128 esp-sha-hmac
Spoke(cfg-crypto-trans)#mode tunnel
Spoke(cfg-crypto-trans)#exit
Spoke(config)#

step 3 - 2

4. Create an IPsec profile on both routers specifying the transform-set already created

Hub(config)#crypto ipsec profile VTI
Hub(ipsec-profile)#set transform-set TRANS
Hub(ipsec-profile)#set pfs group2
Hub(ipsec-profile)#set security-association lifetime seconds 86400
Hub(ipsec-profile)#exit
Hub(config)#

step 4 - 1

Spoke(config)#crypto ipsec profile VTI
Spoke(ipsec-profile)#set transform-set TRANS
Spoke(ipsec-profile)#set pfs group2
Spoke(ipsec-profile)#set security-association lifetime seconds 86400
Spoke(ipsec-profile)#exit

step 4 - 2

5. Now create a Virtual Template Interface on the Hub router that will dynamically create tunnel interfaces during VPN establishment

Hub(config)#interface virtual-template 10 type tunnel
Hub(config-if)#ip unnumbered fa0/0
Hub(config-if)#tunnel mode ipsec ipv4
Hub(config-if)#tunnel protection ipsec profile VTI
Hub(config-if)#exit
Hub(config)#

step 5 - 1

6. Create the tunnel interface on the Spoke router

Spoke(config)#int tunnel 0
Spoke(config-if)#ip unnumbered fa0/0
Spoke(config-if)#tunnel source fa0/0
Spoke(config-if)#tunnel destination 192.168.1.1
Spoke(config-if)#tunnel mode ipsec ipv4
Spoke(config-if)#tunnel protection ipsec profile VTI
Spoke(config-if)#exit
Spoke(config)#

step 5 - 2

7. Finally create an ISAKMP profile on the Hub router

Hub(config)#crypto isakmp profile ISAKMP
Hub(conf-isa-prof)#match identity address 192.168.1.2 255.255.255.255
Hub(conf-isa-prof)#keyring KEYRING
Hub(conf-isa-prof)#virtual-template 10
Hub(conf-isa-prof)#exit
Hub(config)#

step 6 - 1

Now verify the session using the show crypto session command.

verification-1

verification-2

If the Session status: appears as UP-IDLE, clear the session using clear crypto session command, ping the ends and then check the status again.

Here’s the running-config of the routers: Running-config’s

2 Comments

Add a Comment

Your email address will not be published. Required fields are marked *