This post will cover the creation of an IPSec tunnel between two Cisco routers. If you’ve ever done one of these on an ASA firewall for instance, you will notice right off the bat that the concept and the commands are similar, so you should have no problem working through this material and setting up a Cisco router IPSec vpn tunnel.
Major Required Parts
There are a few bullet-point items you need to complete to setup a Cisco router IPSec vpn. Those are:
- ISAKMP Policy (IPSec Phase 1)
- Transform Set (IPSec Phase 2)
- ACL for VPN Traffic
- Crypto Map
- NAT Exempt
Each of these sections will be outlined here as far as what I am using in the lab, then, you can watch the video lab to see it in action.
ISAKMP Policy (IPSec Phase 1)
First off is the ISAKMP Policy. This is where we set some basic details about the type of encryption and authentication that will be used in the tunnel. Nothing too detailed here, just some basic options that you will need to make sure match the other router or firewall on the other end of the vpn connection:
crypto isakmp policy 10 hash sha authentication pre-share group 2 lifetime 86400 crypto isakmp key TheRoutingTable address 126.96.36.199
Again, you will want to make sure to use this same thing on the other end of the connection, while making sure to change the IP in the isakmp key statement for instance.
Transform Set (IPSec Phase 2)
Next is the IPSEC Phase 2 section which is the transform set. This includes more settings regarding the encryption of the tunnel, same as before too: make sure the settings match on both end of the tunnel.
crypto ipsec transform-set TheRoutingTable esp-sha512-hmac esp-3des mode tunnel
Obviously with this section, and frankly the others too, there are a lot of options you can pick based on the specific needs of your setup that you are working with.
ACL for VPN Traffic
Nothing special here, simply create a straight forward ACL that permits traffic between the two subnets, hosts, or both that you want to be able to traverse the tunnel. I am simply doing one /24 network to the other, but you could make this specific such as a tunnel between just two hosts.
ip access-list extended TUNNEL-TRAFFIC permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
This is where we begin to tie everything together, with the crypto map. This is a two step process – create the crypto map and then apply it to your outside interface. We will need to know the ACL and transform-set names we used earlier as well as the peer address. Then we can get this section knocked out:
crypto map TheRoutingTable-VPN 10 ipsec-isakmp match address TUNNEL-TRAFFIC set peer 188.8.131.52 set transform-set TheRoutingTable
Now the the transform set is created, we just need to apply it to the outside interface of our router:
Edge_Router_1(config)#int e0/0 Edge_Router_1(config-if)#crypto map TheRoutingTable-VPN
NAT Exempt (or not!)
At this point you are close and might even be working. The key here though if you want to confirm your needed NAT settings for your specific project. In my case, with this being a basic test lab, I left NAT out of the lab altogether. The goal here though is that you might want (or might NOT want) to exempt the vpn traffic from being NAT’ed and allow these devices to communicate with each other using private IP addresses. In the case of the environment where I work, you may run into cases where you do have to NAT, because you and the person on the remote end of the vpn tunnel both use the same IP subnet. In this case, you would either NAT your traffic to a different subnet or the other end of the tunnel would have this done. That was my reason for leaving NAT out of this test. There are so many ways this may need to be done, you will just want to examine the requirements of your specific network.
As always, if there are any questions leave them below! To recap what I just covered, here is the video of these commands and configuration in action.