This article will allow you to configure the site to site IPSEC VPN on Cisco routers. Before you start the simulation I would advise you to go over this article from the Intense School website. This article has very good information about what are the steps needed to configure IPSEC tunnels.

I created two Packet Tracer files for this simulation:

  • configuring_ipsec_init.pkt – this is the starting point of your configuration task.
  • configuring_ipsec_final.pkt – this simulation has the final configuration applied to the routers and you can use it to compare to your configuration and see if you missed anything.

Regarding the topology, on the subnets where a PC is connected, the router’s interface has an IP address whose last octet is .1 and last octet of the PC’s IP address is .100. The default gateway of the PC is the router’s IP address.

For instance, on the subnet with PC_1: PC_2 has the IP address of 10.10.20.100/24 and R1’s interface IP address is 10.10.20.1/24.

Each router has a loopback address in the form of 1.1.1.X/32, where X is the router number. For instance, the loopback address of R3 is 1.1.1.3/32.

Also, each subnet between the routers is written on the topology and every router is using as the last octet its router number. For instance, on the subnet 10.10.12.0/24, R2 has 10.10.12.2/24 and R1 has 10.10.12.1/24.

All three routers are running OSPF in area 0 so that the end hosts(PC_1 and PC_2) will have connectivity between them.

The goal of this simulator is to encrypt part of the traffic sent between R1 and R3 using IPSEC tunnels.

Only TELNET traffic should be encrypted. For testing purposes, we will use TELNET and ICMP traffic to confirm that out IPSEC tunnels are working as expected.

Before an IPSEC tunnel can be configured, both ends of the tunnel should agree on some parameters for both ISAKMP phases.

Let’s discuss this first so that the configuration will go smoothly.

Phase 1

  • encryption: AES
  • hashing algorithm: SHA-1
  • authentication method: preshare
  • Diffie-Hellman group: 5
  • session lifetime: 3600
  • key: ipsec_key
  • Phase 2
  • encryption: ESP-3DES
  • hashing: MD5

Task 1 requirements

  1. on R1 configure an ISAKMP phase 1 policy
  2. on R1 configure the encryption
  3. on R1 configure the hashing algorithm
  4. on R1 configure the authentication method
  5. on R1 configure the Diffie-Hellman group
  6. on R1 configure the session lifetime
  7. on R1 configure the preshared key
  8. on R1 configure an ACL that will match only telnet traffic between the two LANs
  9. on R1 configure the IPSEC transform set with the encryption and hashing needed
  10. on R1 configure the crypto map using the transform set and the ACL priory defined. Use the IP address from physical interface of R3 towards R2 as peer
  11. on R1 apply the crypto map on the interface towards R2

Task 1 hints

  1. Use the command ‘crypto isakmp policy 1’ to enter ISAKMP policy configuration mode
  2. Use ‘encryption 3des’ to configure the encryption
  3. Use the command ‘hashing md5’ to configure the hashing
  4. Use the command ‘authentication pre-share’ to configure the authentication method
  5. Use the command ‘group 5’ to configure Diffie-Hellman group
  6. Use the command ‘lifetime’ to configure the lifetime of the session
  7. Use the command ‘crypto isakmp key IPSEC_KEY address’ to configure the key and the peer IP address
  8. Configure an ACL that will permit traffic from 10.10.10.0/24 to 10.10.20.0/24, but only for TELNET traffic.

    The ACL should be like this one:

    ip access-list extended IPSEC_TRAFFIC
    permit tcp host 10.10.10.100 eq telnet host 10.10.20.100
    permit tcp host 10.10.10.100 host 10.10.20.100 eq telnet

  9. Use the command ‘crypto ipsec transform-set IPSEC_TS esp-3des esp-md5-hmac’ to configure the transform set
  10. Use the command ‘crypto map CRYPTO_MAP 10 ipsec-isakmp’ to configure the crypto map.
  11. Use ‘set peer 10.10.23.3’ to set R3 as peer
  12. Use ‘set transform-set IPSEC_TS’ to use the specified transform set
  13. Use ‘match address <ACL>’ to specify the ACL that is matching the traffic between R1 and R3
  14. Use ‘crypto map’ under the interface towards R2 to apply the crypto map

Task 2 requirements

  1. on R3 configure an ISAKMP phase 1 policy
  2. on R3 configure the encryption
  3. on R3 configure the hashing algorithm
  4. on R3 configure the authentication method
  5. on R3 configure the Diffie-Hellman group
  6. on R3 configure the session lifetime
  7. on R3 configure the preshared key
  8. on R3 configure an ACL that will match only telnet traffic between the two LANs
  9. on R3 configure the IPSEC transform set with the encryption and hashing already known
  10. on R3 configure the crypto map using the transform set and the ACL priory defined. Use the IP address from physical interface of R1 towards R2 as peer
  11. on R3 apply the crypto map on the interface towards R2

Task 2 hints

  1. Use the command ‘crypto isakmp policy 1’ to enter ISAKMP policy configuration mode
  2. Use ‘encryption 3des’ to configure the encryption
  3. Use the command ‘hashing md5’ to configure the hashing
  4. Use the command ‘authentication pre-share’ to configure the authentication method
  5. Use the command ‘group 5’ to configure Diffie-Hellman group
  6. Use the command ‘lifetime’ to configure the lifetime of the session
  7. Use the command ‘crypto isakmp key IPSEC_KEY address’ to configure the key and the peer IP address
  8. Configure an ACL that will permit traffic from 10.10.20.0/24 to 10.10.10.0/24, but only for TELNET traffic.

    The ACL should be like this one:

    ip access-list extended IPSEC_TRAFFIC
    permit tcp host 10.10.20.100 eq telnet host 10.10.10.100
    permit tcp host 10.10.20.100 host 10.10.10.100 eq telnet

  9. Use the command ‘crypto ipsec transform-set IPSEC_TS esp-3des esp-md5-hmac’ to configure the transform set
  10. Use the command ‘crypto map CRYPTO_MAP 10 ipsec-isakmp’ to configure the crypto map.
  11. Use ‘set peer 10.10.12.1’ to set R3 as peer
  12. Use ‘set transform-set IPSEC_TS’ to use the specified transform set
  13. Use ‘match address <ACL>’ to specify the ACL that is matching the traffic between R3 and R1
  14. Use ‘crypto map’ under the interface towards R2 to apply the crypto map

Because there are no intermediary steps that you can check while you are configuring IPSEC tunnels, you have to configure both sides of the tunnels and only after that you can check if everything is working correctly.

The IPSEC tunnel is getting established only after you apply the crypto map on the interface. Having all the configuration in place, but without applying the crypto map is like you don’t have any IPSEC configuration on the router.

That’s why you should verify only after you completed Task 2.

We specified that only TELNET traffic will be encrypted and ICMP will be used as test to confirm that not all the traffic is encrypted.

Go to PC_1, open a command prompt and do a telnet to 10.10.20.100(PC_2). The connection will be refused as TELNET port is not opened on PC_2. That is expected. But that packet should be encrypted. You can confirm this by going to R1 and issue the command ‘show crypto ipsec sa’. For each telnet command, only one packet is sent/received.

The below ouput is just after a single telnet session was initiated from PC_1 to PC_2.

Also, from PC_1 start issuing ICMP packets towards PC_2 and confirm that the encapsulated/decapsulated packets are not increasing.

R1#sh crypto ipsec sa 

interface: FastEthernet0/0
    Crypto map tag: CRYPTO_MAP, local addr 10.10.12.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.100/255.255.255.255/6/23)
   remote  ident (addr/mask/prot/port): (10.10.20.100/255.255.255.255/6/0)
   current_peer 10.10.23.3 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.12.1, remote crypto endpt.:10.10.23.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   local  ident (addr/mask/prot/port): (10.10.10.100/255.255.255.255/6/0)
   remote  ident (addr/mask/prot/port): (10.10.20.100/255.255.255.255/6/23)
   current_peer 10.10.23.3 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 0
   #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 1, #recv errors 0

     local crypto endpt.: 10.10.12.1, remote crypto endpt.:10.10.23.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x38305283(942690947)

     inbound esp sas:
      spi: 0x67E41A1E(1743002142)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2007, flow_id: FPGA:1, crypto map: CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4525504/3595)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x38305283(942690947)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2008, flow_id: FPGA:1, crypto map: CRYPTO_MAP
        sa timing: remaining key lifetime (k/sec): (4525504/3595)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R1#

As you can see, IPSEC tunnels are very complex, but if you pay attention to the details and make sure that you configure the same settings on both sides, then not that much can go wrong.

What is shown in this article is only one way to configure IPSEC tunnels. There are many more options available and different settings.

Feel free to experiment what other options are available for you when you configure IPSEC tunnels.