Site to site VPN configuration using crypto maps

Here’s the topology that I’m going to use to demonstrate a site to site VPN configuration between two routers using crypto maps.

topology

1. Configure a crypto isakmp policy on both routers

configure terminal
!
crypto isakmp policy 100
!
encryption aes 128
authentication pre-share
hash sha
group 2
lifetime 86400
exit
!
step - 1 - 1
 
step - 1 - 2

2. Specify type of identification and key to be used

!
crypto isakmp identity address
crypto isakmp key 0 cisco address 192.168.1.2
!
step - 2 - 1
!
crypto isakmp identity address
crypto isakmp key 0 cisco address 192.168.1.1
!
step - 2 - 2

3. Create an ipsec transform set

!
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
!
mode tunnel
exit
!
step - 3 - 1
 
step - 3 - 2

4. Define the lifetime of the security association


!
crypto ipsec security-association lifetime seconds 86400
!
step - 4 - 1
R2(config)#crypto ipsec security-association lifetime seconds 86400
step - 4 - 2

5. Define mirrored access-lists on both routers for interesting traffic
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 11.1.1.0 0.0.0.255
R1(config-ext-nacl)#exit

step - 5 - 1
R2(config)#ip access-list extended 100
R2(config-ext-nacl)#permit ip 11.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
R2(config-ext-nacl)#exit

step - 5 - 2

6. Define a crypto map as shown below
R1(config)#crypto map CRYPTO 100 ipsec-isakmp
R1(config-crypto-map)#set transform-set VPN
R1(config-crypto-map)#set peer 192.168.1.2
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit

step - 6 - 1
R2(config)#crypto map CRYPTO 100 ipsec-isakmp
R2(config-crypto-map)#set transform-set VPN
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#set pfs group2
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#exit

step - 6 - 2

7. Apply the crypto map to the serial interface
R1(config)#int serial 1/0
R1(config-if)#crypto map CRYPTO
R1(config-if)#exit

step - 7 - 1
R2(config)#int serial 1/0
R2(config-if)#crypto map CRYPTO
R2(config-if)#exit

step - 7 - 2

Finally to check if packets are being encrypted, ping from 10.0.0.0 / 24 to 11.0.0.0 / 24 and use the show crypto isakmp session command.

step - 8 - 1

step - 8 - 2

 

Add a Comment

Your email address will not be published. Required fields are marked *