Configuring a Site-to-Site VPN Between Two Cisco Routers

Configuring a Site-to-Site VPN Between Two Cisco Routers The virtual private networks (VPN) that connects two sites (VPN) allows you to maintain the security of an “always-on” dennisloos.net connection between two physically distinct websites using an unsecure network, like Internet. Internet. The connection between two websites is transmitted through an encrypted channel that protects against spies and other types of attacks on your data.

This configuration requires the use of an IOS program image, which is compatible with cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.

There are a range of protocols used to build the VPN which includes protocols utilized for key exchanges among peers. Other protocols are that are used to secure the tunnel and also hashing technology that produces digests for messages.

VPN Protocols

IPsec Internet Protocol Security (IPSec) is a set of protocols that are used to secure IP communication. IPSec is an integration of key exchanges and also being a tunnel encryption. It is possible to see IPSec as a technique for the use for protection. When creating an VPN based on IPSec, you’re in a position to choose from a variety of security strategies to make your tunnel.

Internet Security Association and Key Management Protocol (ISAKMP)

ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides an option to authenticate other parties to ensure secure exchanges. It generally employs Internet Key Exchange (IKE) however other protocols are feasible. Public keys or keys that are pre-shared can be used to authenticate the parties in exchange.

Message digest algorithms 5. (MD5)

 Message digest algorithms 5. (MD5) is a commonly used, but mostly insecure cryptographic hash algorithm that includes 128 bits of haveh. The cryptographic hash algorithm is the method to process an unspecified amount of information, and then return it as a fixed-bit string, which is dependent on the information contained in the original piece. The process of hashing is designed so that any alteration to the data may alter its hash value. The value that is processed is known as”the message digest.

Secure Hash Algorithm (SHA)

SHA: Secure Hash Algorithm (SHA) is an array of cryptographic functions developed for the use of the National Security Agency (NSA). There are three SHA algorithms, which are classified in different ways and are classified by SHA-0 and SHA-1, and two. SHA-1 is the most widely used hashing algorithm, and it has an average key which has at least 160 bits.

ncapsulating Security Payload (ESP)

The ESP Encapsulating Security Payload (ESP) is component of the IPsec protocol suite that provides authenticity, integrity and integrity as and confidentiality protection for packets. ESP is also able to allow encryption-only aswell in authentication-only configurations. However, encryption using encryption without authentication is not recommended because it’s not secure. As opposed to the other IPsec protocol, Authentication Header (AH), ESP does not protect the IP header inside the data packet. This makes ESP is the most preferred protocol to utilize in this Network Address Translation configuration. ESP operates directly over IP through IP Protocol 50.

Data Encryption Standard (DES)

DES is Data Encryption Standard (DES) is a 56-bit encryption technology. It’s no anymore considered to be a safe protocol because its tiny key length, which makes it susceptible to brute force attacks.

DES

3DES The term 3DES DES was designed to remove the shortcomings and weaknesses of DES by making use of 3 distinct keys of 56 bits that are used for encryption and encryption as well as decrypting and re-encrypting. 3DES keys have a length of 168 bits. When using 3DES it is first encrypted with a single 56-bit key. After that, it is encrypted using a different 56-bit key. The result of which is encrypted with another key of 56 bits.

AES refers to an encryption standard. Advanced Encryption Standard (AES) was created as a substitute of DES and 3DES. It is available in a variety of key lengths and is believed to be about 6-fold more effective as 3DES.

HMAC Hashing Message Authentication code (HMAC) can be described as a form that is a message-authentication code (MAC). HMAC is calculated by using an algorithm that is specific to it, which includes an algorithm for cryptographic hashing together with the secret key. Configuring a Site-to-Site VPN Between Two Cisco Routers

Configuring a Site-to-Site VPN

The procedure of creating an VPN which connects a website to another takes many steps:

Phase One setting up is the process of creating key exchange. This method utilizes ISAKMP for determining the algorithm used for hashing and also the method of authentication. It’s one of the two locations where you must determine who is in the other. In this scenario, we’ve chosen SHA as the algorithm we will use to hash because of its more robust character, and its 160 bits of key. It is important to note that the key “vpnkey” must be identical across both sides of the tunnel. The code “192.168.16.105” is the outside network interface of the router, that is located at the other side of the tunnel.

One example from the test phase

tukwila(config)#crypto isakmp policy 10

tukwila(config-isakmp)#hash sha

tukwila(config-isakmp)#authentication pre-share

tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105

Phase Two setup is all about creating an encrypted tunnel. In the phase Two configuration, you will make and determine the transform set that will determine the encryption protocols employed to build the secure channel. Furthermore, you have to create a crypto map that will help will determine the peer on opposite side of your tunnel. It is essential to determine

the transform set that you will be using in addition to indicating an access list to be used to determine the traffic flow that is allowed. In this instance , we’ve chosen AES due to its improved safety and speed. The expression “set peer 192.168.16.25” identifies the network interface external to the router that is located on the opposite end of the tunnel. The phrase “set transform-set vpnset” tells that the router to employ the parameters defined in the transform-set-vpnset for this tunnel. “match address 100” is the “match address 100” statement is used to connect the tunnel to the access list 100. The access-list is to be created later.

Sample phase two configuration:

tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

tukwila(cfg-crypto-trans)#exit

tukwila(config)#crypto map vpnset 10 ipsec-isakmp

Note The brand-new crypto map will be blocked until it becomes peer

along with an access listing that’s valid have been made.

tukwila(config-crypto-map)#set peer 192.168.16.105

tukwila(config-crypto-map)#set transform-set vpnset

tukwila(config-crypto-map)#match address 100

This cryptomap needs the ability to apply to an external interface (in this instance that is, that is FastEthernet 4):

tukwila(config)#int f4

tukwila(config-if)#crypto map vpnset

You will need to make an access control list that explicitly permit traffic from one router’s interne LAN to be transferred through the tunnel to through the router’s internal LAN (in this instance, the address of the router’s internal LAN are 10.10.10.0/24 and the outside LAN of the other router’s address is 10.10.10.0/24).

(For more details on the format of lists for access control, check out my other articles on the development and managing of Cisco lists of access control for routers. )Configuring a Site-to-Site VPN Between Two Cisco Routers 

Also, it is essential to establish the gateway in its initial state (also called”the “gateway for the the last final”).

Verifying VPN Connections

2 commands can be utilized to verify VPN Connections:

Router#show crypto Ipsec SA

This command gives the settings utilized by the current in-active security associations (SAs).

Show crypto Router# isakmp

This command shows the most recent IKE Security Associations.

Troubleshooting VPN Connections

After confirming physical connectivity, it is recommended to examine every aspect of your VPN connection to confirm that they are mirroring one another.

Use debugging to investigate VPN issues related to connectionissues: