Quick presentation on the steps to build out a mesh site to site network using a cisco 2911

1. CIS 264
Dan Morrill
Highline Community College

2.  A static IP address on the EXTERNAL interface of your
router
 Needs to be in the 192.168.203.X range for this class (all
examples will use this IP range)
 Cisco 2911
 Access to the router as exec
 Patience
 Remember to check your work before you commit the
changes
 Remember Write MEM
 A backup of your router configuration before doing this
 Just in case bad things happen to good people

3.  http://www.routergeek.net/general/how-to-configure-
site-to-site-vpn-in-cisco-routers/ provides good step
by step in case you need it
 http://samcaldwell.net/index.php/technical-
articles/3-how-to-articles/83-cisco-vpn-part-i provides
good background support for setting up a site to site
VPN in a Cisco router
 http://www.fredshack.com/docs/vpnios.html
somewhat convoluted but workable – use as a backup
resource in case something goes wrong

4.  Create an IKE (Internet Key Exchange) policy for your
router
1. Router(config)#crypto isakmp policy 9
2. Router(config-isakmp)#hash md5
3. Router(config-isakmp)#authentication pre-share

5.  Router(config)#crypto isakmp key VPNKEY address
192.168.203.25
 Where the VPNKEY is the shared key that you will use
for the VPN, and remember to set the same key on the
other end
 VPNKEY = keyR7ToR5 to help with the naming
convention
 192.168.203.25 the static public IP address of the
other end

6.  Router(config)#crypto ipsec security-association
lifetime seconds YYYYY
 where YYYYY is the associations lifetime in seconds. It is
usually used as 86400, which is one day.

7.  Router(config)#access-list AAA permit ip
SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK
DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK
 Access-list AAA permit ip 192.168.203.25 0.0.0.255
192.168.203.26 0.0.0.255
 Where 203.26 is the Active Directory server or other
computer on the network that will pass data back
and forth between racks in the VPN
 Where WIL.DCA.RDM.ASK = wild card mask of the
network, the reverse subnet for a flat “C” network

8.  Define the transformations set that will be used for the
VPN connection
 Router(config)#crypto ipsec transform-set
SETNAME AAAA BBBB
 Where SETNAME is the name of the transformations
set. You can choose any name you like. Naming is
important to keep track of the transforms
 BBBB and CCCCC is the transformation set. I
recommend the use of “esp-3des esp-md5-hmac”.

9.  Router(config)#crypto map MAPNAME PRIORITY ipsec-
isakmp
 Router(config-crypto-map)#set peer 192.168.203.25
 Router(config-crypto-map)#set transform-set SETNAME
 Router(config-crypto-map)#match address AAA
 Where MAPNAME is a name of your choice to the crypto-map
 PRIORITY is the priority of this map over other maps to the
same destination. If this is your only crypto-map give it any
number, for example 10.
 192.168.203.25 the static public IP address of the other end
 SETNAME is the name of the transformations set that we
configured in step 5
 AAA is the number of the access-list that we created to define
the traffic in step 4

10.  Router(config-if)#crypto map MAPNAME
 where MAPNAME is the name of the crypto-map that
we defined in step 6.
 Now, repeat these steps on the other end, and
remember to use the same key along with the same
authentication and transform set.

11.  Repeat steps 2, 4, 5, 6, 7 for each VPN you want to set
up for each connection point
 R3, R4, R5, R6, R7 in all you will have 5 VPN
connections in your router configuration
 Remember to skip step 3
 This is step 3, this is a global configuration that will work
on all VPN’s connected to the router
 Router(config)#crypto ipsec security-association
lifetime seconds YYYYY

12.  show crypto isakmp sa
 show crypto ipsec sa
 show crypto engine connections active
 and show crypto map
 All those should show what you entered
 Then write mem
 Then do a show run to see if everything took after write
mem