CONFIGURING A SITE-TO-SITE VPN BETWEEN TWO CISCO ROUTERS
October 29th, 2009
Copyright (c) 2008 Don R. Crawley
A site-to-site practical in isolation network (VPN) allows you to say a secure “always-on” tie in in in between dual physically apart sites regulating an existent non-secure network such as the open Internet. Traffic in in in between the dual sites is transmitted over an encrypted hovel to forestall snooping or alternative sorts of interpretation attacks.
This pattern requires an IOS program picture that supports cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.
There have been multiform protocols used in formulating the VPN together with protocols used for a key sell in in in between the peers, those used to encrypt the tunnel, and hashing technologies that furnish summary digests.
VPN Protocols
IPSec: Internet Protocol Security (IPSec) is a apartment of protocols that have been used to secure IP communications. IPSec involves both key exchanges and hovel encryption. You can think of IPSec as a horizon for implementing security. When formulating an IPSec VPN, you can select from a accumulation of confidence technologies to exercise the tunnel.
ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides a equates to for authenticating the peers in a secure communication. It typically uses Internet Key Exchange (IKE), but alternative technologies can additionally be used. Public keys or a pre-shared key have been used to substantiate the parties to the communication.
MD5: Message-Digest algorithm 5 (MD5) is an mostly used, but to some extent uncertain cryptographic crush duty with a 128-bit crush value. A cryptographic crush duty is a approach of receiving an capricious retard of interpretation and returning a fixed-size bit string, the crush worth formed on the strange retard of data. The hashing routine is written so that a shift to the interpretation will additionally shift the crush value. The crush worth is additionally called the summary digest.
SHA: Secure Hash Algorithm (SHA) is a set of cryptographic crush functions written by the National Security Agency (NSA). The 3 SHA algorithms have been structured otherwise and have been renowned as SHA-0,SHA-1, and SHA-2. SHA-1 is a ordinarily used hashing algorithm with a customary key length of 160 bits.
ESP: Encapsulating Security Payload (ESP) is a part of of the IPsec custom apartment that provides start authenticity, integrity, and confidentiality insurance of packets. ESP additionally supports encryption-only and authentication-only configurations, but regulating encryption but authentication is strongly disheartened since it is insecure. Unlike the alternative IPsec protocol, Authentication Header (AH), ESP does not strengthen the IP parcel header. This disproportion creates ESP elite for make make use of of in a Network Address Translation configuration. ESP operates without delay on tip of IP, regulating IP custom series 50.
DES: The Data Encryption Standard (DES) provides 56-bit encryption. It is no longer deliberate a secure custom since the short key-length creates it exposed to brute-force attacks.
3DES: Three DES was written to strike the stipulations and weaknesses of DES by regulating 3 conflicting 56-bit keys in a encrypting, decrypting, and re-encrypting operation. 3DES keys have been 168 pieces in length. When regulating 3DES, the interpretation is initial encrypted with one 56-bit key, afterwards decrypted with a conflicting 56-bit key, the outlay of that is afterwards re-encrypted with a third 56-bit key.
AES: The Advanced Encryption Standard (AES) was written as a deputy for DES and 3DES. It is accessible in varying key lengths and is in all deliberate to be about 6 times faster than 3DES.
HMAC: The Hashing Message Authentication Code (HMAC) is a sort of summary authentication formula (MAC). HMAC is distributed regulating a specific algorithm involving a cryptographic crush duty in multiple with a tip key.
Configuring a Site-to-Site VPN
The routine of configuring a site-to-site VPN involves multiform steps:
Phase One pattern involves configuring the key exchange. This routine uses ISAKMP to brand the hashing algorithm and authentication method. It is additionally one of dual places where you contingency brand the counterpart at the conflicting finish of the tunnel. In this example, we chose SHA as the hashing algorithm due to the some-more strong nature, together with the 160-bit key. The key “vpnkey” contingency be matching on both ends of the tunnel. The residence “192.168.16.105″ is the outward interface of the router at the conflicting finish of the tunnel.
Sample proviso one configuration:
tukwila(config)#crypto isakmp process 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey residence 192.168.16.105
Phase Two pattern involves configuring the encrypted tunnel. In Phase Two configuration, you emanate and name a renovate set that identifies the encrypting protocols used to emanate the secure tunnel. You contingency additionally emanate a crypto map in that you brand the counterpart at the conflicting finish of the tunnel, mention the transform-set to be used, and mention that entrance carry out list will brand available trade flows. In this example, we chose AES due to the heightened confidence and extended performance. The matter “set counterpart 192.168.16.25″ identifies the outward interface of the router at the conflicting finish of the tunnel. The matter “set transform-set vpnset” tells the router to make make use of of the parameters specified in the transform-set vpnset in this tunnel. The “match residence 100″ matter is used to join forces with the hovel with access-list 100 that will be tangible later.
Sample proviso dual configuration:
tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
% NOTE: This brand new crypto map will sojourn infirm until a peer
and a stream entrance list have been configured.
tukwila(config-crypto-map)#set counterpart 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match residence 100
The crypto map contingency be practical to your outward interface (in this example, interface FastEthernet 4):
tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset
You contingency emanate an entrance carry out list to categorically concede trade from the router’s inside LAN opposite the hovel to the alternative router’s inside LAN (in this example, the router tukwila’s inside LAN network residence is 10.10.10.0/24 and the alternative router’s inside LAN network residence is 10.20.0.0/24):
tukwila(config)#access-list 100 assent ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255
(For some-more report about the syntax of access-control lists, see my alternative articles on formulating and handling Cisco router access-control lists.)
You contingency additionally emanate a default gateway (also well known as the “gateway of final resort”). In this example, the default gateway is at 192.168.16.1:
tukwila(config)#ip track 0.0.0.0 0.0.0.0 192.168.16.1
Verifying VPN Connections
The following dual commands can be used to determine VPN connections:
Router#show crypto ipsec sa
This authority displays the settings used by the stream Security Associations (SAs).
Router#show crypto isakmp sa
This authority displays stream IKE Security Associations.
Troubleshooting VPN Connections
After confirming earthy connectivity, review both ends of the VPN tie to safeguard they counterpart each other.
Use debugging to investigate VPN tie difficulties:
Router#debug crypto isakmp
This authority allows you to comply Phase 1 ISAKMP negotiations.
Router#debug crypto ipsec
This authority allows you to comply Phase 2 IPSec negotiations.
Don R. Crawley, Linux+ and CCNA-certified, is boss and arch technologist at soundtraining.net, the Seattle precision organisation specializing in accelerated, task-oriented precision for IT professionals. He functions with IT pros to raise their work, lives, and careers. For some-more report about guidance opportunities with soundtraining.net, revisit here.
Related posts:
- INTERNET SECURITY AND VPN NETWORK DESIGN Overview This essay discusses a little necessary technical concepts compared...
- CISCO RVL200 4-PORT SSL/IPSEC VPN ROUTER Former Linksys Business Series Secure entrance for small offices...
- CISCO SITE TO SITE VPN PART 1 OF 2 Part one of dual on how to set up...
- THE COMPLETE CISCO VPN CONFIGURATION GUIDE Product Description Use Cisco concentrators, routers, Cisco PIX and Cisco...
- CISCO WRV200 WIRELESS-G VPN ROUTER – RANGEBOOSTER From the manufacturer The Linksys Small Business Series is...
Related posts brought to you by Yet Another Related Posts Plugin.
Categories: Cisco hardware
