Configure Site to Site VPNs in Cisco 2911's
-
Upload
dan-morrill -
Category
Education
-
view
3.763 -
download
2
description
Transcript of Configure Site to Site VPNs in Cisco 2911's
CIS 264Dan Morrill
Highline Community College
Configuring Site to Site VPN tunnels in a Cisco
2911
A static IP address on the EXTERNAL interface of your routerNeeds to be in the 192.168.203.X range for this class (all
examples will use this IP range)Cisco 2911Access to the router as exec
PatienceRemember to check your work before you commit the
changesRemember Write MEMA backup of your router configuration before doing this
Just in case bad things happen to good people
Things you will need
http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/ provides good step by step in case you need it
http://samcaldwell.net/index.php/technical-articles/3-how-to-articles/83-cisco-vpn-part-i provides good background support for setting up a site to site VPN in a Cisco router
http://www.fredshack.com/docs/vpnios.html somewhat convoluted but workable – use as a backup resource in case something goes wrong
Where to find external data
Create an IKE (Internet Key Exchange) policy for your router
1. Router(config)#crypto isakmp policy 92. Router(config-isakmp)#hash md53. Router(config-isakmp)#authentication
pre-share
Create a Key Policy
Router(config)#crypto isakmp key VPNKEY address 192.168.203.25
Where the VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the other end VPNKEY = keyR7ToR5 to help with the naming
convention192.168.203.25 the static public IP
address of the other end
Setup a Shared VPN Key
Router(config)#crypto ipsec security-association lifetime seconds YYYYYwhere YYYYY is the associations lifetime in
seconds. It is usually used as 86400, which is one day.
Set the Lifetime for the VPN
Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK
Access-list AAA permit ip 192.168.203.25 0.0.0.255 192.168.203.26 0.0.0.255Where 203.26 is the Active Directory
server or other computer on the network that will pass data back and forth between racks in the VPN
Where WIL.DCA.RDM.ASK = wild card mask of the network, the reverse subnet for a flat “C” network
Set what traffic is to be routed via VPN
Define the transformations set that will be used for the VPN connection
Router(config)#crypto ipsec transform-set SETNAME AAAA BBBB
Where SETNAME is the name of the transformations set. You can choose any name you like. Naming is important to keep track of the transforms
BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des esp-md5-hmac”.
Define the Transformations Set
Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp
Router(config-crypto-map)#set peer 192.168.203.25Router(config-crypto-map)#set transform-set SETNAMERouter(config-crypto-map)#match address AAAWhere MAPNAME is a name of your choice to the crypto-mapPRIORITY is the priority of this map over other maps to the
same destination. If this is your only crypto-map give it any number, for example 10.
192.168.203.25 the static public IP address of the other endSETNAME is the name of the transformations set that we
configured in step 5AAA is the number of the access-list that we created to define
the traffic in step 4
Create a Crypto Map
Router(config-if)#crypto map MAPNAMEwhere MAPNAME is the name of the crypto-
map that we defined in step 6.Now, repeat these steps on the other end, and
remember to use the same key along with the same authentication and transform set.
Bind the Crypto Map
Repeat steps 2, 4, 5, 6, 7 for each VPN you want to set up for each connection pointR3, R4, R5, R6, R7 in all you will have 5 VPN
connections in your router configurationRemember to skip step 3
This is step 3, this is a global configuration that will work on all VPN’s connected to the router
Router(config)#crypto ipsec security-association lifetime seconds YYYYY
For other VPN’s (MESH Network)
show crypto isakmp sashow crypto ipsec sashow crypto engine connections activeand show crypto map All those should show what you entered
Then write memThen do a show run to see if everything took
after write mem
Verify your config
Questions?