CIS 264Dan Morrill

Highline Community College

Configuring Site to Site VPN tunnels in a Cisco

2911

A static IP address on the EXTERNAL interface of your routerNeeds to be in the 192.168.203.X range for this class (all

examples will use this IP range)Cisco 2911Access to the router as exec

PatienceRemember to check your work before you commit the

changesRemember Write MEMA backup of your router configuration before doing this

Just in case bad things happen to good people

Things you will need

http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/ provides good step by step in case you need it

http://samcaldwell.net/index.php/technical-articles/3-how-to-articles/83-cisco-vpn-part-i provides good background support for setting up a site to site VPN in a Cisco router

http://www.fredshack.com/docs/vpnios.html somewhat convoluted but workable – use as a backup resource in case something goes wrong

Where to find external data

Create an IKE (Internet Key Exchange) policy for your router

1. Router(config)#crypto isakmp policy 92. Router(config-isakmp)#hash md53. Router(config-isakmp)#authentication

pre-share

Create a Key Policy

Router(config)#crypto isakmp key VPNKEY address 192.168.203.25

Where the VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the other end VPNKEY = keyR7ToR5 to help with the naming

convention192.168.203.25 the static public IP

address of the other end

Setup a Shared VPN Key

Router(config)#crypto ipsec security-association lifetime seconds YYYYYwhere YYYYY is the associations lifetime in

seconds. It is usually used as 86400, which is one day.

Set the Lifetime for the VPN

Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK

Access-list AAA permit ip 192.168.203.25 0.0.0.255 192.168.203.26 0.0.0.255Where 203.26 is the Active Directory

server or other computer on the network that will pass data back and forth between racks in the VPN

Where WIL.DCA.RDM.ASK = wild card mask of the network, the reverse subnet for a flat “C” network

Set what traffic is to be routed via VPN

Define the transformations set that will be used for the VPN connection

Router(config)#crypto ipsec transform-set SETNAME AAAA BBBB

Where SETNAME is the name of the transformations set. You can choose any name you like. Naming is important to keep track of the transforms

BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des esp-md5-hmac”.

Define the Transformations Set

Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp

Router(config-crypto-map)#set peer 192.168.203.25Router(config-crypto-map)#set transform-set SETNAMERouter(config-crypto-map)#match address AAAWhere MAPNAME is a name of your choice to the crypto-mapPRIORITY is the priority of this map over other maps to the

same destination. If this is your only crypto-map give it any number, for example 10.

192.168.203.25 the static public IP address of the other endSETNAME is the name of the transformations set that we

configured in step 5AAA is the number of the access-list that we created to define

the traffic in step 4

Create a Crypto Map

Router(config-if)#crypto map MAPNAMEwhere MAPNAME is the name of the crypto-

map that we defined in step 6.Now, repeat these steps on the other end, and

remember to use the same key along with the same authentication and transform set.

Bind the Crypto Map

Repeat steps 2, 4, 5, 6, 7 for each VPN you want to set up for each connection pointR3, R4, R5, R6, R7 in all you will have 5 VPN

connections in your router configurationRemember to skip step 3

This is step 3, this is a global configuration that will work on all VPN’s connected to the router

Router(config)#crypto ipsec security-association lifetime seconds YYYYY

For other VPN’s (MESH Network)

show crypto isakmp sashow crypto ipsec sashow crypto engine connections activeand show crypto map All those should show what you entered

Then write memThen do a show run to see if everything took

after write mem

Verify your config

Questions?