SlideShare ist ein Scribd-Unternehmen logo

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS

NetProtocol Xpert
NetProtocol Xpert

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS

Ingenieurwesen
1 von 18
www.netprotocolxpert.in
 Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video between two sites (e.g offices or branches). The VPN tunnel is created over the Internet public network and encrypted using a number of advanced encryption algorithms to provide confidentiality of the data transmitted between the two sites.  ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to build an IPsec security association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.
 Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay services. IPSECVPN REQUIREMENTS  To help make this an easy-to-follow exercise, we have split it into two steps that are required to get the Site-to-Site IPSecVPNTunnel to work. These steps are:  (1) Configure ISAKMP (ISAKMP Phase 1)  (2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
 Our example setup is between two branches of a small company, these are Site 1 and Site 2. Both the branch routers connect to the Internet and have a static IPAddress assigned by their ISP as shown on the diagram:  Site 1 is configured with an internal network of 10.10.10.0/24, while Site 2 is configured with network 20.20.20.0/24. The goal is to securely connect both LAN networks and allow full communication between them, without any restrictions.
 IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA) relationship with the peer.  To begin, we’ll start working on the Site 1 router (R1).  First step is to configure an ISAKMP Phase 1 policy: R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400
 The Previous slide define the following (in listed order): 3DES -The encryption method to be used for Phase 1. MD5 -The hashing algorithm Pre-share - Use Pre-shared key as the authentication method Group 2 - Diffie-Hellman group to be used 86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default value.  We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.
 Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the following command:  R1(config)# crypto isakmp key NPX address 1.1.1.2  The peer’s pre shared key is set to NPX and its public IP Address is 1.1.1.2. Every time R1 tries to establish a VPN tunnel with R2 (1.1.1.2), this pre shared key will be used.
 To configure IPSec we need to setup the following in order:  Create extended ACL  Create IPSecTransform  Create Crypto Map  Apply crypto map to the public interface
CREATING EXTENDEDACL  Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel. In this example, it would be traffic from one network to the other, 10.10.10.0/24 to 20.20.20.0/24. Access-lists that define VPN traffic are sometimes called crypto access-list or interesting traffic access-list. R1(config)# ip access-list extendedVPN-TRAFFIC R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
CREATE IPSECTRANSFORM (ISAKMP PHASE 2 POLICY)  Next step is to create the transform set used to protect our data.We’ve named this TS: R1(config)# crypto ipsec transform-set TS esp-3des esp- md5-hmac The above command defines the following:  ESP-3DES - Encryption method  MD5 - Hashing algorithm
CREATE CRYPTO MAP  The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together: R1(config)# crypto map CMAP 10 ipsec-isakmp R1(config-crypto-map)# set peer 1.1.1.2 R1(config-crypto-map)# set transform-set TS R1(config-crypto-map)# match addressVPN-TRAFFIC  We’ve named our crypto map CMAP. The ipsec- isakmp tag tells the router that this crypto map is an IPsec crypto map. Although there is only one peer declared in this crypto map (1.1.1.2), it is possible to have multiple peers within a given crypto map.
APPLY CRYPTO MAPTOTHE PUBLIC INTERFACE  The final step is to apply the crypto map to the outgoing interface of the router. Here, the outgoing interface is FastEthernet 0/1. R1(config)# interface FastEthernet0/1 R1(config- if)# crypto map CMAP  Note that you can assign only one crypto map to an interface.  As soon as we apply crypto map on the interface, we receive a message from the router that confirms isakmp is on: “ISAKMP is ON”.
 We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being the peer IP Addresses and access lists: R2(config)# crypto isakmp policy 1 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400
R2(config)# crypto isakmp key NPX address 1.1.1.1 R2(config)# ip access-list extended VPN-TRAFFIC R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# crypto ipsec transform-set TS esp-3des esp- md5-hmac R2(config)# crypto map CMAP 10 ipsec-isakmp R2(config-crypto-map)# set peer 1.1.1.1 R2(config-crypto-map)# set transform-set TS R2(config-crypto-map)# match address VPN-TRAFFIC R2(config)# interface FastEthernet0/1 R2(config- if)# crypto map CMAP
NETWORK ADDRESS TRANSLATION (NAT) AND IPSEC VPNTUNNELS  Network Address Translation (NAT) is most likely to be configured to provide Internet access to internal hosts. When configuring a Site-to-Site VPN tunnel, it is imperative to instruct the router not to perform NAT (deny NAT) on packets destined to the remote VPN network(s).  This is easily done by inserting a deny statement at the beginning of the NAT access list
Router1: R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
Router2: R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload R2(config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# access-list 100 permit ip 20.20.20.0 0.0.0.255 any
BRINGING UP ANDVERIFYINGTHEVPNTUNNEL  At this point, we’ve completed our configuration and theVPNTunnel is ready to be brought up. To initiate the VPNTunnel, we need to force one packet to traverse the VPN and this can be achieved by pinging from one router to another  Ping- R1# ping 20.20.20.1 source fastethernet0/0  To verify theVPNTunnel- R1# show crypto session

Empfohlen

Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
Ip addressing
Ip addressingIp addressing
Ip addressingsid1322
 
Ip Addressing
Ip AddressingIp Addressing
Ip Addressingvssnsarma
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
CCNA Network Devices
CCNA Network DevicesCCNA Network Devices
CCNA Network DevicesDsunte Wilson
 
OSPF Configuration
OSPF Configuration OSPF Configuration
OSPF Configuration NetProtocol Xpert
 
802.1x
802.1x802.1x
802.1xakruthi k
 

Empfohlen

Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
Ip addressing
Ip addressingIp addressing
Ip addressingsid1322
 
Ip Addressing
Ip AddressingIp Addressing
Ip Addressingvssnsarma
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
CCNA Network Devices
CCNA Network DevicesCCNA Network Devices
CCNA Network DevicesDsunte Wilson
 
OSPF Configuration
OSPF Configuration OSPF Configuration
OSPF Configuration NetProtocol Xpert
 
802.1x
802.1x802.1x
802.1xakruthi k
 
Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 pptSonal Chandel
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)Joud Khattab
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1VISHNU N
 
BGP Weight Manipulation with Route Map
BGP Weight Manipulation with Route MapBGP Weight Manipulation with Route Map
BGP Weight Manipulation with Route MapNetProtocol Xpert
 
Bridge
BridgeBridge
BridgeMadhushree Ghosh
 
The Transport Layer
The Transport LayerThe Transport Layer
The Transport Layeradil raja
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA ImplementationAhmad El Tawil
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.pptEdgardo Scrimaglia
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Jisc
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Alan Mark
 
TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)
TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)
TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)Kruti Niranjan
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01Irsandi Hasan
 
Ccnp presentation [Day 1-3] Class
Ccnp presentation [Day 1-3] ClassCcnp presentation [Day 1-3] Class
Ccnp presentation [Day 1-3] ClassSagarR24
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsEng. Emad Al-Atoum
 
Overview of TCP IP
Overview of TCP IPOverview of TCP IP
Overview of TCP IPuniversity of education,Lahore
 
Network administration and Management
Network administration and ManagementNetwork administration and Management
Network administration and ManagementBry Cunal
 
MPLS
MPLSMPLS
MPLSElyes Naouar
 
How BGP Works
How BGP WorksHow BGP Works
How BGP WorksThousandEyes
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)Joud Khattab
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1VISHNU N
 
BGP Weight Manipulation with Route Map
BGP Weight Manipulation with Route MapBGP Weight Manipulation with Route Map
BGP Weight Manipulation with Route MapNetProtocol Xpert
 
The Transport Layer
The Transport LayerThe Transport Layer
The Transport Layeradil raja
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Jisc
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Alan Mark
 
TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)
TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)
TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)Kruti Niranjan
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01Irsandi Hasan
 
Ccnp presentation [Day 1-3] Class
Ccnp presentation [Day 1-3] ClassCcnp presentation [Day 1-3] Class
Ccnp presentation [Day 1-3] ClassSagarR24
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsEng. Emad Al-Atoum
 
Network administration and Management
Network administration and ManagementNetwork administration and Management
Network administration and ManagementBry Cunal
 

Was ist angesagt? (20)

Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 ppt
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1
 
BGP Weight Manipulation with Route Map
BGP Weight Manipulation with Route MapBGP Weight Manipulation with Route Map
BGP Weight Manipulation with Route Map
 
Bridge
BridgeBridge
Bridge
 
The Transport Layer
The Transport LayerThe Transport Layer
The Transport Layer
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)
 
TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)
TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)
TCP & UDP ( Transmission Control Protocol and User Datagram Protocol)
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01
 
Ccnp presentation [Day 1-3] Class
Ccnp presentation [Day 1-3] ClassCcnp presentation [Day 1-3] Class
Ccnp presentation [Day 1-3] Class
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching Commands
 
Overview of TCP IP
Overview of TCP IPOverview of TCP IP
Overview of TCP IP
 
Network administration and Management
Network administration and ManagementNetwork administration and Management
Network administration and Management
 
MPLS
MPLSMPLS
MPLS
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
 

Andere mochten auch

IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASACisco Russia
 
Site to Site VPN Using TMG Firewall. University Final Presentation.
Site to Site VPN Using TMG Firewall. University Final Presentation.Site to Site VPN Using TMG Firewall. University Final Presentation.
Site to Site VPN Using TMG Firewall. University Final Presentation.Muhammad Farooq Hussain
 
Ubuntu SSL VPN
Ubuntu SSL VPNUbuntu SSL VPN
Ubuntu SSL VPNsharetech
 
Site to Site VPN CISCO ASA
Site to Site VPN CISCO ASASite to Site VPN CISCO ASA
Site to Site VPN CISCO ASARahul E
 
Network Service in OpenStack Cloud, by Yaohui Jin
Network Service in OpenStack Cloud, by Yaohui JinNetwork Service in OpenStack Cloud, by Yaohui Jin
Network Service in OpenStack Cloud, by Yaohui JinHui Cheng
 
Cyberoam SSL VPN
Cyberoam SSL VPNCyberoam SSL VPN
Cyberoam SSL VPNAjay Nawani
 
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718guest75224e4
 
my presentation on vpn
my presentation on vpnmy presentation on vpn
my presentation on vpnjadeja dhanraj
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsMustafa Khaleel
 
Troubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNsTroubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNsThousandEyes
 
SSL VPN from your android phone
SSL VPN from your android phoneSSL VPN from your android phone
SSL VPN from your android phonesharetech
 
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiIp sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiHuy Eav
 
Fortigate Hand Book
Fortigate Hand BookFortigate Hand Book
Fortigate Hand BookYusuf Usmani
 

Andere mochten auch (20)

IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
 
Site to Site VPN Using TMG Firewall. University Final Presentation.
Site to Site VPN Using TMG Firewall. University Final Presentation.Site to Site VPN Using TMG Firewall. University Final Presentation.
Site to Site VPN Using TMG Firewall. University Final Presentation.
 
Ubuntu SSL VPN
Ubuntu SSL VPNUbuntu SSL VPN
Ubuntu SSL VPN
 
Vpn 3
Vpn 3Vpn 3
Vpn 3
 
Site to Site VPN CISCO ASA
Site to Site VPN CISCO ASASite to Site VPN CISCO ASA
Site to Site VPN CISCO ASA
 
Network Service in OpenStack Cloud, by Yaohui Jin
Network Service in OpenStack Cloud, by Yaohui JinNetwork Service in OpenStack Cloud, by Yaohui Jin
Network Service in OpenStack Cloud, by Yaohui Jin
 
Cyberoam SSL VPN
Cyberoam SSL VPNCyberoam SSL VPN
Cyberoam SSL VPN
 
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
Forti Gate Ssl Vpn User Guide 01 30007 0348 20080718
 
my presentation on vpn
my presentation on vpnmy presentation on vpn
my presentation on vpn
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnels
 
Troubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNsTroubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNs
 
VSS_Final
VSS_FinalVSS_Final
VSS_Final
 
Spring Ldap
Spring LdapSpring Ldap
Spring Ldap
 
SSL VPN from your android phone
SSL VPN from your android phoneSSL VPN from your android phone
SSL VPN from your android phone
 
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiIp sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
 
Fortigate Hand Book
Fortigate Hand BookFortigate Hand Book
Fortigate Hand Book
 

Ähnlich wie SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS

I psec tunnel vs transport mode
I psec tunnel vs transport modeI psec tunnel vs transport mode
I psec tunnel vs transport modeIT Tech
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersConfiguring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersphosika sithisane
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationdborsan
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Netwax Lab
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Báo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng tháiBáo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng tháitran thai
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseHarris Andrea
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands OverviewMuhammed Niyas
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01slavenvvv
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationHamed Moghaddam
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).pptDeep Rajan
 

Ähnlich wie SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS (20)

I psec tunnel vs transport mode
I psec tunnel vs transport modeI psec tunnel vs transport mode
I psec tunnel vs transport mode
 
Lan to lan vpn
Lan to lan vpnLan to lan vpn
Lan to lan vpn
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersConfiguring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Báo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng tháiBáo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng thái
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands Overview
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA Configuration
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).ppt
 
Day 11 eigrp
Day 11 eigrpDay 11 eigrp
Day 11 eigrp
 

Mehr von NetProtocol Xpert

Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data planeNetProtocol Xpert
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPNetProtocol Xpert
 
Avoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandAvoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandNetProtocol Xpert
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesNetProtocol Xpert
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)NetProtocol Xpert
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)NetProtocol Xpert
 

Mehr von NetProtocol Xpert (20)

Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
 
Application & Data Center
Application & Data CenterApplication & Data Center
Application & Data Center
 
Cisco ISR 4351 Router
Cisco ISR 4351 RouterCisco ISR 4351 Router
Cisco ISR 4351 Router
 
Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X Router
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAP
 
Avoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandAvoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a command
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and Switches
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
 
Cisco OTV 
Cisco OTV Cisco OTV 
Cisco OTV 
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)
 

Kürzlich hochgeladen

Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 

Kürzlich hochgeladen (20)

Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS

  • 2.  Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video between two sites (e.g offices or branches). The VPN tunnel is created over the Internet public network and encrypted using a number of advanced encryption algorithms to provide confidentiality of the data transmitted between the two sites.  ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to build an IPsec security association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.
  • 3.  Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay services. IPSECVPN REQUIREMENTS  To help make this an easy-to-follow exercise, we have split it into two steps that are required to get the Site-to-Site IPSecVPNTunnel to work. These steps are:  (1) Configure ISAKMP (ISAKMP Phase 1)  (2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
  • 4.  Our example setup is between two branches of a small company, these are Site 1 and Site 2. Both the branch routers connect to the Internet and have a static IPAddress assigned by their ISP as shown on the diagram:  Site 1 is configured with an internal network of 10.10.10.0/24, while Site 2 is configured with network 20.20.20.0/24. The goal is to securely connect both LAN networks and allow full communication between them, without any restrictions.
  • 5.  IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA) relationship with the peer.  To begin, we’ll start working on the Site 1 router (R1).  First step is to configure an ISAKMP Phase 1 policy: R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400
  • 6.  The Previous slide define the following (in listed order): 3DES -The encryption method to be used for Phase 1. MD5 -The hashing algorithm Pre-share - Use Pre-shared key as the authentication method Group 2 - Diffie-Hellman group to be used 86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default value.  We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.
  • 7.  Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the following command:  R1(config)# crypto isakmp key NPX address 1.1.1.2  The peer’s pre shared key is set to NPX and its public IP Address is 1.1.1.2. Every time R1 tries to establish a VPN tunnel with R2 (1.1.1.2), this pre shared key will be used.
  • 8.  To configure IPSec we need to setup the following in order:  Create extended ACL  Create IPSecTransform  Create Crypto Map  Apply crypto map to the public interface
  • 9. CREATING EXTENDEDACL  Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel. In this example, it would be traffic from one network to the other, 10.10.10.0/24 to 20.20.20.0/24. Access-lists that define VPN traffic are sometimes called crypto access-list or interesting traffic access-list. R1(config)# ip access-list extendedVPN-TRAFFIC R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
  • 10. CREATE IPSECTRANSFORM (ISAKMP PHASE 2 POLICY)  Next step is to create the transform set used to protect our data.We’ve named this TS: R1(config)# crypto ipsec transform-set TS esp-3des esp- md5-hmac The above command defines the following:  ESP-3DES - Encryption method  MD5 - Hashing algorithm
  • 11. CREATE CRYPTO MAP  The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together: R1(config)# crypto map CMAP 10 ipsec-isakmp R1(config-crypto-map)# set peer 1.1.1.2 R1(config-crypto-map)# set transform-set TS R1(config-crypto-map)# match addressVPN-TRAFFIC  We’ve named our crypto map CMAP. The ipsec- isakmp tag tells the router that this crypto map is an IPsec crypto map. Although there is only one peer declared in this crypto map (1.1.1.2), it is possible to have multiple peers within a given crypto map.
  • 12. APPLY CRYPTO MAPTOTHE PUBLIC INTERFACE  The final step is to apply the crypto map to the outgoing interface of the router. Here, the outgoing interface is FastEthernet 0/1. R1(config)# interface FastEthernet0/1 R1(config- if)# crypto map CMAP  Note that you can assign only one crypto map to an interface.  As soon as we apply crypto map on the interface, we receive a message from the router that confirms isakmp is on: “ISAKMP is ON”.
  • 13.  We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being the peer IP Addresses and access lists: R2(config)# crypto isakmp policy 1 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400
  • 14. R2(config)# crypto isakmp key NPX address 1.1.1.1 R2(config)# ip access-list extended VPN-TRAFFIC R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# crypto ipsec transform-set TS esp-3des esp- md5-hmac R2(config)# crypto map CMAP 10 ipsec-isakmp R2(config-crypto-map)# set peer 1.1.1.1 R2(config-crypto-map)# set transform-set TS R2(config-crypto-map)# match address VPN-TRAFFIC R2(config)# interface FastEthernet0/1 R2(config- if)# crypto map CMAP
  • 15. NETWORK ADDRESS TRANSLATION (NAT) AND IPSEC VPNTUNNELS  Network Address Translation (NAT) is most likely to be configured to provide Internet access to internal hosts. When configuring a Site-to-Site VPN tunnel, it is imperative to instruct the router not to perform NAT (deny NAT) on packets destined to the remote VPN network(s).  This is easily done by inserting a deny statement at the beginning of the NAT access list
  • 16. Router1: R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
  • 17. Router2: R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload R2(config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# access-list 100 permit ip 20.20.20.0 0.0.0.255 any
  • 18. BRINGING UP ANDVERIFYINGTHEVPNTUNNEL  At this point, we’ve completed our configuration and theVPNTunnel is ready to be brought up. To initiate the VPNTunnel, we need to force one packet to traverse the VPN and this can be achieved by pinging from one router to another  Ping- R1# ping 20.20.20.1 source fastethernet0/0  To verify theVPNTunnel- R1# show crypto session