# Cisco IOS Site to Site VPN (Router) #### Network Topology [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/CMvimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/CMvimage.png) In this network configuration a site-to-site VPN between Router1 and Router2 across the link through Router0. First let's set up the IP and routing information on all three routers as well as the two PCs. #### Router0 IP and Routing Configuration Commands Router0>enable Router0#configure terminal Router0(config)# interface serial 0/0/0 Router0(config-if)#ip address 172.16.1.1 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#interface serial 0/0/1 Router0(config-if)#ip address 172.16.2.1 255.255.255.248 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#ip route 192.168.10.0 255.255.255.0 172.16.1.2 Router0(config)#ip route 192.168.20.0 255.255.255.0 172.16.2.2 #### Router1 IP and Routing Configuration Commands Router1>enable Router1#configure terminal Router1(config)# interface serial 0/0/0 Router1(config-if)#ip address 172.16.1.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface fastEthernet 0/0 Router1(config-if)#ip address 192.168.10.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 #### Router2 IP and Routing Configuration Commands Router1>enable Router1#configure terminal Router1(config)# interface serial 0/0/0 Router1(config-if)#ip address 172.16.2.2 255.255.255.248 Router1(config-if)#no shutdown Router1(config-if)#interface fastEthernet 0/0 Router1(config-if)#ip address 192.168.20.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.1 #### PC Computers IP Configuration [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/06Timage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/06Timage.png) [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/O0fimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/O0fimage.png) Now that all the routers and PCs have their IP addressing and routing information configured it is time to move on the the specific configuration for enabling the Site-to-Site VPN. This process can be divided into four phases. ##### Phase 1 - The Key Exchange Setup

Phase 1 Commands	Notes
crypto isakmp enable
crypto isakmp policy 10	The number can be any number between 1 and 10,000. It identifies the priority of the policy.
encryption aes	this could be 3des but aes is more robust.
hash sha	sha = secure hash algorithm. md5 could be used but sha is more robust.
group 1	Specifies the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. Group 1 is 768-bit
lifetime 3600	Specifies the Security Association (SA) lifetime. The default is 86,400 seconds or 24 hours. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations (up to a point). However, with shorter lifetimes, the security appliance sets up future IPsec SAs more quickly.
authentication pre-share
crypto isakmp key ciscokey123 address 172.16.2.2	The italicized text is just a text string that has to match on both sides of the connection. The IP address is the public IP address of our peer on the other side of the VPN connection.

##### Phase 2 - Encrypting the Tunnel

Phase 2 Commands	Notes
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac	The italicized text is the set name and can be changed. This could be esp-3des and esp-md5-hmac
crypto map vpnset 10 ipsec-isakmp	The number is any number between 1 and 65,535 that identifies the sequence to insert into the crypto map.
set transform-set vpnset
match address 100	Match the addresses in the access control list coming up. This will identify the inside-to-inside traffic flow.
set peer 172.16.2.2	This is the other router's outside interface.

##### Phase 3 - Applying the Crypto Map to the Outside Router Interface

Phase 3 Commands	Notes
int s0/0/0	Whatever the outside interface of the router is (f0/0, g0/2, etc.)
crypto map vpnset

##### Phase 4 - Creating an Access List to Identify the Traffic Flow (inside to inside LAN traffic)

Phase 4 Commands	Notes
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255	These are the inside addresses of both routers.

Let's start with Router1 #### Router1 VPN Configuration Commands Router1>enable Router1#configure terminal Router1(config)#crypto isakmp enable Router1(config)#crypto isakmp policy 10 Router1(config-isakmp)#encryption aes Router1(config-isakmp)#hash sha Router1(config-isakmp)#group 1 Router1(config-isakmp)#lifetime 3600 Router1(config-isakmp)#authentication pre-share Router1(config-isakmp)#exit Router1(config)#crypto isakmp key ciscokey123 address 172.16.2.2 Router1(config)#crypto map vpnset 10 ipsec-isakmp Router1(config-crypto-map)#set transform-set vpnset Router1(config-crypto-map)#match address 100 Router1(config-crypto-map)#set peer 172.16.2.2 Router1(config-crypto-map)#exit Router1(config)#int serial 0/0/0 Router1(config-if)#crypto map vpnset Router1(config-if)#exit Router1(config)#access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 #### Router2 VPN Configuration Commands Router2>enable Router2#configure terminal Router2(config)#crypto isakmp enable Router2(config)#crypto isakmp policy 10 Router2(config-isakmp)#encryption aes Router2(config-isakmp)#hash sha Router2(config-isakmp)#group 1 Router2(config-isakmp)#lifetime 3600 Router2(config-isakmp)#authentication pre-share Router2(config-isakmp)#exit Router2(config)#crypto isakmp key ciscokey123 address 172.16.1.2 Router2(config)#crypto map vpnset 10 ipsec-isakmp Router2(config-crypto-map)#set transform-set vpnset Router2(config-crypto-map)#match address 100 Router2(config-crypto-map)#set peer 172.16.1.2 Router2(config-crypto-map)#exit Router2(config)#int serial 0/0/0 Router2(config-if)#crypto map vpnset Router2(config-if)#exit Router2(config)#access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 #### Check Status of VPN ##### Check the status of the Internet Security Association Management Protocol (ISAKMP) Security Associations (SAs) built between the peers. Router1#show crypto isakmp sa [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/wXMimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/wXMimage.png) If you run the command right after establishing the VPN you might see a very blank status screen. You can wait for connections to start establishing across the VPN or you can simply do a ping across the VPN. Then when you run the command again you should see a more informative status like this. [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/35dimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/35dimage.png) You can see from the output above the destination's (Router2) IP address and the source (Router1). And most importantly the status shows that the security association (link) is ACTIVE. ##### Check the Internet Security Association Management Protocol (ISAKMP) Policy Router1#show crypto isakmp policy [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/4viimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/4viimage.png) As you can see our new ISAKMP policy is at a higher priority than the default protection suite policy. This output shows the priority, the encryption type (AES), the authentication method (pre-shared), the Diffie-Hellman group (1), and the lifetime (3600). These are all the values we set in the configuration. ##### Check the Crypto Map Settings Router1#show crypto map [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/QmIimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/QmIimage.png) A wealth of information about the configured cryto map including the name and sequence number. The configured peer is visible. The access-list is present as well as the interface that the map is assigned. ##### Check the IPSEC Security Association Router1#show crypto ipsec sa [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/hF3image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/hF3image.png) There is a lot of information given in this command but probably the most valuable is the highlighted area above showing that encapsulation and decapsulation is taking place across the VPN. Additionally, you can see status for inbound and outbound tunnel and the configured encryption algorithms. #### Check Ping from PC0 to PC1 and visa versa [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/0rmimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/0rmimage.png) The first ping will most likely lose some packets, but subsequent pings will complete 100% [![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/IN1image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/IN1image.png) #### Cisco Packet Tracer File [net13 site to site vpn.pkt](https://bookstack.taylorhome.run/attachments/8)