Site to Site VPN CLI configuration on Gns3:


What is a VPN?
A Virtual Private Network is a type of a connection that connects remote user s to their central office using internet. An IPSEC VPN is virtual tunnel through your public ISP network. VPN are highly encrypted and  secure connections.
how to setup a vpn on Cisco:
Here we shall see VPN site to site CLI configuration on GNS3, It’s not so much the commands.
 I shall divide these configurations into few parts to make it easy to understand i.e.
1.    Define isakmp policy and transform set:
Isakam is the protocol that allow all of keys exchange to happen automatically no need to manually configure the VPN. In this step we shall define authentication type, encryption type, hash. Lifetime and define what session keys are used.
2.      Create an ACl
Define interesting traffic using an access control list, this ACL is not for deny or permitting some IP addresses but it just says which addresses are encrypted     
3.      Set up cryto Map and assign this to interface: 
      In this step we shall tie up all piece so that we can apply to an interface

For site to site VPN configuration I have created the following lab in gns3, in this US and Pakistan are our end site routers and IPS cloud is representing the internet cloud but don’t confuse with this cloud this is a simple router with 7200 series IOS, I have changed the router symbol from gns3/edit/symbol manager to give real environment look to my topology. Complete configurations are given below. 

Us site config:

US(config)#int s1/0
US(config-if)#ip address 50.0.0.1 255.255.255.0
US(config-if)#no shut
US(config)#int loop 1
US (config-if)#ip address 10.1.1.1 255.255.255.0
US(config)#router rip
US(config-router)#version 2
US(config-router)#network 10.1.1.0
US(config-router)#network 50.0.0.0
US(config-router)#no auto-summary


Step-1 :
US(config)#crypto isakmp policy 7
US(config-isakmp)#authentication pre-share
US(config-isakmp)#encryption aes 128
US(config-isakmp)#group 2
US(config-isakmp)#hash sha
US(config-isakmp)#lifetime 100
US(config-isakmp)#ex
US(config)#crypto isakmp key 0 vpnkey address 192.168.1.1 no-xauth
 
US(config)#crypto ipsec transform-set vpntrans esp-aes 128 esp-sha-hmac

Step-2

US(config)#ip access-list extended vpn-acl
US(config-ext-nacl)# permit ip 50.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255

Step-3

US(config)#crypto map vpn-map 10 ipsec-isakmp
US(config-crypto-map)#set peer 192.168.1.1
US(config-crypto-map)#match address vpn-acl
US(config-crypto-map)#set transform-set vpntrans
 
US(config)#int s1/0
US(config-if)#cry
US(config-if)#crypto map vpn-map

ISP configuration:

ISP#conf t
ISP(config)#int s1/0
ISP(config-if)#ip add 50.0.0.2 255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#ex
ISP(config)#int s1/1
ISP(config-if)#ip add 192.168.1.2 255.255.255.0
ISP(config-if)#no shut
ISP(config)#router ri
ISP(config-router)#version 2
ISP(config-router)#network 50.0.0.0
ISP(config-router)#network 192.168.1.0
ISP(config-router)#no auto-summary

Pakistan site config:

Step-1 :
Pakistan#conf t
Pakistan(config)#crypto isakmp policy 7
Pakistan(config-isakmp)# authentication pre-share
Pakistan(config-isakmp)#encryption aes 128
Pakistan(config-isakmp)# group 2
Pakistan(config-isakmp)# lifetime 100
Pakistan(config-isakmp)#crypto isakmp key 0 vpnkey address 50.0.0.1 no-xauth
Pakistan(cfg-crypto-trans)#ex
Pakistan(config)#crypto ipsec transform-set vpntrans esp-aes  esp-sha-hmac

Step-2

Pakistan(config)#ip access-list extended vpn-acl
Pakistan(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 50.0.0.0 0.0.0.255
Pakistan(config-ext-nacl)#ex

Step-3

Pakistan(cfg-crypto-trans)#crypto map vpn-map 10 ipsec-isakmp
Pakistan(config-crypto-map)# set peer 50.0.0.1
Pakistan(config-crypto-map)# set transform-set vpntrans
Pakistan(config-crypto-map)# match address vpn-acl
Pakistan(config)#interface Serial1/0
Pakistan(config-if)#crypto map vpn-map

Site to site VPN verfication Commands:

Show crypto isakam sa

 
 
Show crypto ipsec sa

 

27 comments:

  1. It's really a nice job...! I only have a doubt. In this case, what are the loopback interfaces for? Needed for what? Are they necessary? Why? What are their function in this scenario?

    Thank you,

    David

    ReplyDelete
  2. loopbacks are just representing yr internal LAN users at these sites...i am using loopbks here just for testing purposes..

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. nice job my friend
    From the paki router is missing the se 1/0 config, the rip config and its advertized networks, and all the loopback networks

    ReplyDelete
  5. Great job, but how did you configure the ISP cloud ?

    ReplyDelete
    Replies
    1. add router and configure

      Delete
  6. ...With serial interfaces I mean, I only manage to put my computer's interfaces on it.

    ReplyDelete
  7. hi, thank you for sharing this with us.
    I just noticed that there are configurations not listed in pakistan router.
    hash sha
    crypto isakmp key 0 vpnkey address 50.0.0.1 no-xauth

    ReplyDelete
  8. hey nice job!!!
    I have notice that you missed some other configs in Pakistan router.
    encryption aes 128

    ReplyDelete
    Replies
    1. yes, that is added now. thank you

      Delete
  9. Dear sir,
    I am very extremely happy to see this site, i think that it look so good.
    Thank you
    Sincerely
    sothea

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. Im trying to configure nat + vpn tunnel in the same router so what extra configuration do i need to do?
    Do I need to create a tunnel interface?

    ReplyDelete
  12. yes, you configure both on same router...first configure NAT and then create VPN tunnel...

    ReplyDelete
  13. thanks for sharing,
    but i have a question, how can we test the security/encryption ?

    i have build the topology and config more or less like yours and the "Show crypto ipsec sa" confirm that the packet has been encrypted/decrypted.
    but when i tried to do telnet, the telnet message still can be read with wireshark...

    ReplyDelete
  14. hi bro...please i need ur help in my project a bit...

    just i am configring my vpn ipsec but it shows

    R7#show crypto map
    Crypto Map "pakistan" 1 ipsec-isakmp
    WARNING: This crypto map is in an incomplete state!
    (missing peer or access-list definitions)
    Peer = 192.168.0.2
    Extended IP access list pakistan
    Security association lifetime: 4608000 kilobytes/86400 seconds
    PFS (Y/N): Y
    DH group: group1
    Transform sets={
    fawad,
    }
    Interfaces using crypto map pakistan:
    FastEthernet1/1

    FastEthernet2/0

    ReplyDelete
  15. The GRE tunnel can't be create as US block all vpn tunnel from Pakistan due to terrorism.

    ReplyDelete
  16. How did you configure 2 routers to connect 1 cloud in GNS3?

    ReplyDelete
  17. hi thanks. but how can i connect two routers to cloud ?

    ReplyDelete
  18. For people asking about the cloud connection. Ignore the cloud, just place ISP router in between the US and Pakistan and configure it as shown. The cloud is a bit misleading as it is just hiding the ISP router in the diagram.

    ReplyDelete
  19. I have done all the same procedure... All is well but the main purpose is not achieved...As you showed at the last ISAKMP sa are shown..But as i did the same procedure but no security associations are found...Let me paste my running config for both....


    US#show run
    US#show running-config
    Building configuration...

    Current configuration : 1627 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname US
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    !
    !
    ip cef
    no ip domain lookup
    ip domain name lab.local
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    crypto isakmp key VPNKEY address 192.168.1.1 no-xauth
    !
    !
    crypto ipsec transform-set VPNTRANS esp-aes 256
    !
    crypto map VPN-MAP 10 ipsec-isakmp
    set peer 192.168.1.1
    set transform-set VPNTRANS
    match address VPN-ACL
    !
    !
    !
    !
    interface Loopback1
    ip address 10.1.1.1 255.255.255.0
    !
    interface Serial0/0
    ip address 50.0.0.1 255.255.255.0
    serial restart-delay 0
    crypto map VPN-MAP
    !
    interface Serial0/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial0/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial0/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Ethernet1/0
    ip address 9.9.9.2 255.255.255.0
    half-duplex
    !
    interface Ethernet1/1
    no ip address
    shutdown
    half-duplex
    !
    interface Ethernet1/2
    no ip address
    shutdown
    half-duplex
    !
    interface Ethernet1/3
    no ip address
    shutdown
    half-duplex
    !
    router rip
    version 2
    network 9.0.0.0
    network 10.0.0.0
    network 50.0.0.0
    no auto-summary
    !
    no ip http server
    no ip http secure-server
    !
    !
    !
    !
    ip access-list extended VPN-ACL
    permit ip 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    login
    !
    !
    end



    PK#show runn
    PK#show running-config
    Building configuration...

    Current configuration : 1749 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname PK
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    !
    !
    ip cef
    no ip domain lookup
    ip domain name lab.local
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    crypto isakmp key VPNKEY address 50.0.0.1 no-xauth
    !
    !
    crypto ipsec transform-set VPNTRANS esp-aes 256
    !

    ReplyDelete
  20. Nice work!!!!!!!!!!!!
    But I have some doubt....RIP is configured everywhere and the net work is reachable through RIP, then why do we need to configure VPN?

    ReplyDelete
  21. I have a question, if rip was not configured, would the two routers able to reach each other through VPN?

    ReplyDelete