Configuring static IPsec VTI tunnel

Here’s the topology that I’m going to use to configure static IPsec VTI tunnel.

Topology

1. First step, create an isakmp policy on both routers as follows:

R1(config)#crypto isakmp policy 100
R1(config-isakmp)#encryption aes 128
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exit
R1(config)#

step 1 - 1

R2(config)#crypto isakmp policy 100
R2(config-isakmp)#encryption aes 128
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#hash sha
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#exit
R2(config)#

step 1 - 2

2. Specify the pre-shared key on both the routers

R1(config)#crypto isakmp key 0 cisco address 192.168.1.2

step 2 - 1

R2(config)#crypto isakmp key 0 cisco address 192.168.1.1

step 2 - 2

3. Next, create an IPsec transform set on both routers

R1(config)#crypto ipsec transform-set TRANS esp-aes 128 esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)#

step 3 - 1

R2(config)#crypto ipsec transform-set TRANS esp-aes 128 esp-sha-hmac
R2(cfg-crypto-trans)#mode tunnel
R2(cfg-crypto-trans)#exit
R2(config)#

step 3 - 2

4. Create an IPsec profile on both routers specifying the transform-set already created

R1(config)#crypto ipsec profile VTI
R1(ipsec-profile)#set transform-set TRANS
R1(ipsec-profile)#set pfs group2
R1(ipsec-profile)#set security-association lifetime seconds 86400
R1(ipsec-profile)#exit
R1(config)#

step 4 - 1

R2(config)#crypto ipsec profile VTI
R2(ipsec-profile)#set transform-set TRANS
R2(ipsec-profile)#set pfs group2
R2(ipsec-profile)#set security-association lifetime seconds 86400
R2(ipsec-profile)#exit
R2(config)#

step 4 - 2

5. Create and configure the virtual tunnel interfaces on both routers

R1(config)#int tunnel 0
R1(config-if)#ip unnumbered fa0/0
R1(config-if)#tunnel source fa0/0
R1(config-if)#tunnel destination 192.168.1.2
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile VTI
R1(config-if)#exit
R1(config)#

step 5 - 1

R2(config)#int tunnel 0
R2(config-if)#ip unnumbered fa0/0
R2(config-if)#tunnel source fa0/0
R2(config-if)#tunnel destination 192.168.1.1
R2(config-if)#tunnel mode ipsec ipv4
R2(config-if)#tunnel protection ipsec profile VTI
R2(config-if)#exit
R2(config)#

step 5 - 2

Now verify the session using the show crypto session command.

verification - 1

verification - 2

If the Session status: appears as UP-IDLE, clear the session using clear crypto session command, ping the ends and then check the status again.

Here’s the running-config of the routers: Running-config’s

2 Comments

Add a Comment

Your email address will not be published. Required fields are marked *