Configuring a Site-to-Site VPN Between Two Cisco Routers Virtual private networks (VPN) that connects two sites (VPN) allows you to maintain the security of an “always-on” connection between two physically distinct websites using an unsecure network like Internet. Internet. dennisloos.net The connection between two websites is transmitted through an encrypted channel to guard from spies or other forms of attacks on your data.
This configuration requires the use of an IOS program image, which is compatible with cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.
There are many kinds of protocols used to build the VPN which includes protocols utilized for key exchanges among peers. Other protocols are that are used to secure the tunnel and hashing technology that produces digests for messages.
VPN Protocols
IPsec Internet Protocol Security (IPSec) is a set of protocols that are used to secure IP communication. IPSec is an amalgamation of key exchanges and also being a tunnel encryption. It is possible to consider IPSec as a means of the use for protection. When creating an VPN using IPSec, you are in a position to choose among a number of security strategies to make an encrypted tunnel.
ISAKMP (IKE):
ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides an opportunity to authenticate other parties in order to secure their communication. It generally uses Internet Key Exchange (IKE) however other protocols are an option. Public keys or keys that are pre-shared can be used to authenticate the parties in exchange.
MD5:
Message-Digest algorithm 5. (MD5) is an often employed, but generally insecure cryptographic hash function which has 128 bits of haveh. The cryptographic hash algorithm is used to process an unspecified amount of information, and return it as a fixed-bit string that is dependent upon the initial chunk of data. The process of hashing is designed so that any change to the data may alter its hash value. The value that is hashed is referred to as”the message digest.
Secure Hash Algorithm (SHA)
SHA: Secure Hash Algorithm (SHA) is a set of cryptographic algorithms developed for the use of the National Security Agency (NSA). There are three SHA algorithms, which are classified differently and classified in SHA-0 as well as SHA-1, and two. SHA-1 is the most frequently used hashing algorithm, and it includes an average key which has at least 160 bits.
ESP Encapsulating Security Payload
The ESP Encapsulating Security Payload (ESP) is component of the IPsec protocol suite, which provides integrity, authenticity , as and confidentiality protection for packets. ESP is also able to work with encryption-only as well with authentication-only configurations. However, encryption using encryption without authentication is not recommended because it’s not secure. Contrary to other IPsec protocol, Authentication Header (AH), ESP does not protect the IP header contained in the data packet. This is the reason why ESP is the preferred protocol to utilize in your Network Address Translation configuration. ESP operates directly over IP through IP Protocol 50.
Data Encryption Standard (DES)
DES is Data Encryption Standard (DES) is a 56-bit encryption technology. It’s no anymore considered to be a safe protocol due to its limited key length, which makes it susceptible to brute force attacks.
3DES
The 3DES three DES was designed to remove the shortcomings and weaknesses of DES by making use of 3 distinct keys of 56 bits that are used for encryption the encryption process, as well as decrypting and re-encrypting. 3DES keys have a length of 168 bits. When using it is first encrypted with a single 56-bit key. It is then encrypted using a different 56-bit key. The result of which is encrypted with another key of 56 bits.
Advanced Encryption Standard (AES)
AES can be described as an encryption standard. Advanced Encryption Standard (AES) was designed to be a replacement of DES as well as 3DES. It has a range of key lengths, and is believed to be 6-fold more effective as 3DES.
HMAC Hashing Message Authentication code (HMAC) can be described as a form that is a message-authentication code (MAC). HMAC is calculated by using an algorithm that is specific to it, which includes an algorithm for cryptographic hashing together with the secret key.
Configuring a Site-to-Site VPN
The procedure of creating an VPN that connects one site to another one requires a number of steps:
Phase One configuration is the procedure of creating an exchange for keys. This process utilizes ISAKMP in order to establish the algorithm used for hashing and also the method of authentication. It’s the second of two locations where you must identify who is at the other. In this scenario, we’ve selected SHA for the algorithm used to hash due to its greater character, and its 160 bits of key. It is important to note that the key “vpnkey” must be identical across both sides of the tunnel. The numbers “192.168.16.105” is the outside network interface of the router, that is located at the other side of the tunnel.
One example from the test phase
tukwila(config)#crypto isakmp policy 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105
Phase Two setup is all about setting up an encrypted channel. In the phase Two configuration, you will make and determine the transform set that will determine the encryption protocols employed to build an encrypted tunnel. In addition, you need to create a crypto map that will help will determine the peer on the other side that the tunnel. It is essential to determine the transform-set you’ll use in addition to indicating your access-control list.
Ttraffic
To be used to define the types of traffic that can be allowed. In this instance , we’ve chosen AES because of its superior efficiency and security. The expression “set peer 192.168.16.25” identifies the network interface that is external to the router on the opposite end of the tunnel. The phrase “set transform-set vpnset” tells that the router to utilize the parameters specified in the transform-set vpnset to create this tunnel. “match address 100” is the “match address 100” statement is used to connect the tunnel to the access-list 100. The access-list will be determined later.
Sample phase two configuration:
tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
Note This brand new crypto map will be blocked until it becomes an actual peer
along with an access listing that’s valid have been developed.
tukwila(config-crypto-map)#set peer 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match address 100
This cryptomap needs the ability to apply to the external interface (in this instance it is FastEthernet’s interface). FastEthernet 4):
tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset
You will need to make an access control list that explicitly permit traffic coming from one router’s internal network to through the router’s internal LAN (in this case , the router’s inside LAN address are 10.10.10.0/24 and the outside LAN of the other router’s address is 10.10.10.0/24).
(For more details on the format of lists for access control, check out my other articles on the design and administration of Cisco lists of access control for routers. )
Additionally, it’s required to create an opening gateway (also called”the “gateway for the the last option”).
Verifying VPN Connections
The two commands listed below are able to verify VPN connection:
Router#show crypto Ipsec SA
This command gives the settings employed by the active security associations (SAs).
The Router#show Crypto isakmp
This command shows the most recent IKE Security Associations.
Troubleshooting VPN Connections
After verifying your physical connectivity, you must review each side of the VPN connection to confirm that they mirror each other.
Use debugging to investigate VPN issues related to connections: