IPsec :STEPS

ROUTER TO ROUTR TUNNEL

 STEP -1 :PHASE 1 POLICY

• R1(config)# crypto isakmp policy 1

R1(config-isakmp)# encr 3des
• R1(config-isakmp)# hash md5
• R1(config-isakmp)# authentication pre-share
• R1(config-isakmp)# group 2
• R1(config-isakmp)# lifetime 86400
 STEP -2 : PRESHARED KEY
• Next we are going to define a pre shared key for
authentication with our peer (R2 router) by using the
following command:

• R1(config)# crypto isakmp key firewallcx address 1.1.1.2

• The peer’s pre shared key is set to firewallcx and its

public IP Address is 1.1.1.2. Every time R1 tries to
establish a VPN tunnel with R2 (1.1.1.2), this pre shared
key will be used.
 STEP-3 : IPSEC CONFIG

• To configure IPSec we need to setup the

following in order:

• - Create extended ACL

• - Create IPSec Transform
• - Create Crypto Map
• - Apply crypto map to the public interface
 INTRESTING TRAFFIC
• CREATING EXTENDED ACL

• Next step is to create an access-list and define the traffic we would like the
router to pass through the VPN tunnel. In this example, it would be traffic
from one network to the other, 10.10.10.0/24 to 20.20.20.0/24. Access-
lists that define VPN traffic are sometimes called crypto access-
list or interesting traffic access-list.

• R1(config)# ip access-list extended VPN-TRAFFIC

R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
 IP SEC TRANSFORM
• CREATE IPSEC TRANSFORM (ISAKMP PHASE 2 POLICY)

• Next step is to create the transform set used to protect our data. We’ve
named this TS

• R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

• The above command defines the following:

• - ESP-3DES - Encryption method
• - MD5 - Hashing algorithm
 CRYPTO MAP
• The Crypto map is the last step of our setup and
connects the previously defined ISAKMP and IPSec
configuration together:

R1(config)# crypto map CMAP 10 ipsec-isakmp

R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC
APPLY CRYPTO MAP TO THE PUBLIC INTERFACE

• The final step is to apply the crypto map to the outgoing

interface of the router. Here, the outgoing interface is
FastEthernet 0/1.
• R1(config)# interface FastEthernet0/1
R1(config- if)# crypto map CMAP

• Note that you can assign only one crypto map to an interface.
 R2 CONFIG
• R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
• R2(config-isakmp)# hash md5
• R2(config-isakmp)# authentication pre-share
• R2(config-isakmp)# group 2
• R2(config-isakmp)# lifetime 86400

• R2(config)# crypto isakmp key firewallcx address 1.1.1.1

• R2(config)# ip access-list extended VPN-TRAFFIC

• R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

• R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

• R2(config)# crypto map CMAP 10 ipsec-isakmp

• R2(config-crypto-map)# set peer 1.1.1.1
• R2(config-crypto-map)# set transform-set TS
• R2(config-crypto-map)# match address VPN-TRAFFIC

• R2(config)# interface FastEthernet0/1

• R2(config- if)# crypto map CMAP
 VERIFICATION

• R1# ping 20.20.20.1 source fastethernet0/0

•
Type escape sequence to abort.
• Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout
is 2 seconds:
• Packet sent with a source address of 10.10.10.1
• .!!!!
• Success rate is 80 percent (4/5), round-trip
min/avg/max = 44/47/48 ms
•
 VERIFICATION
• R1# show crypto session

Crypto session current status

• Interface: FastEthernet0/1
Session status: UP-ACTIVE
• Peer: 1.1.1.2 port 500
• IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active
• IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0
20.20.20.0/255.255.255.0
• Active SAs: 2, origin: crypto map