User Account

All Pages

Configure and verify a site-to-site ipsec vpn tunnel

Assignment Help Computer Networking
Reference no: EM133996829

Network Security Implementation

Lab Tutorial - Configure and verify a Site-to-Site IPsec VPN Tunnel

Introduction
Site-to-site IPSec VPN Tunnels allow secure data transmission, voice, and video between two sites (e.g., offices or branches). The VPN tunnel is created over the Internet public network and encrypted using several advanced encryption algorithms to provide confidentiality of the data transmitted between the two sites.

This tutorial will show how to set up and configure two Cisco routers to create a permanent secure site-to-site VPN tunnel over the Internet using the IP Security (IPSec) protocol. We assume both Cisco routers have a static public IP address.

IPSec VPN tunnels can also be configured using GRE (Generic Routing Encapsulation) Tunnels with IPsec. GRE tunnels greatly simplify the configuration and administration of VPN tunnels Lastly, DMVPNs - a new VPN trend that provides major flexibility and almost no administration overhead can also be examined by reading our Understanding Cisco Dynamic Multipoint VPN (DMVPN), Dynamic Multipoint VPN (DMVPN) Deployment Models & Architectures and Configuring Cisco Dynamic Multipoint VPN (DMVPN) - Hub, Spokes, mGRE Protection and Routing
- DMVPN Configuration articles.

ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to build an IPsec security association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2. No AI shortcuts — Only authentic assignment help from real expert tutors.

Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IPSec then encrypts the data using encryption algorithms and provides authentication, encryption, and anti-replay services.

IPSec VPN Requirements

To make this tutorial easy to follow, we have split it into two steps: the first step is to get the Site-to-Site IPSec VPN Tunnel to work.

These steps are:

Configure ISAKMP (ISAKMP Phase 1)

Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)

Our example setup is between two branches of a small company: Site 1 and Site 2. Both the branch routers connect to the Internet and have a static IP Address assigned by their ISP, as shown on the diagram:

Site 1 has an internal network of 10.10.10.0/24, while Site 2 is configured with network 20.20.20.0/24. The goal is to connect both LAN networks securely and allow full communication without restrictions.

Configure ISAKMP (IKE) - (ISAKMP Phase 1)
IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA) relationship with the peer.

We'll start working on the Site 1 router (R1).

The first step is to configure an ISAKMP Phase 1 policy:

The above commands define the following (in listed order):

3DES - The encryption method to be used for Phase 1.
MD5 - The hashing algorithm
Pre-share - Use the Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 - Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. The value set is the default value.
We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site, it will send all five policies and use the first match that is accepted by both ends.

Next, we are going to define a pre-shared key for authentication with our peer (R2 router) by using the following command:

The peer's preshared key is set to firewallcx, and its public IP Address is 1.1.1.2. This preshared key will be used whenever R1 tries to establish a VPN tunnel with R2 (1.1.1.2).
Configure IPSec

To configure IPSec we need to setup the following in order:

Create extended ACL
Create IPSec Transform
Create Crypto Map
Apply crypto map to the public interface
Let us examine each of the above steps.

Step 1: Creating Extended ACL
The next step is to create an access list and define the traffic we would like the router to pass through the VPN tunnel. In this example, it would be traffic from one network to the other, 10.10.10.0/24 to 20.20.20.0/24. Access lists that define VPN traffic are sometimes called crypto access lists or interesting traffic access lists.

Step 2: Create IPSec Transform (ISAKMP Phase 2 Policy)

The next step is creating the transform set to protect our data. We've named this TS:

The above command defines the following:
ESP-3DES - Encryption method
MD5 - Hashing algorithm

Step 3: Create Crypto Map

The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together:

We've named our crypto map CMAP. The ipsec-isakmp tag tells the router that this crypto map is an IPsec crypto map. Although only one peer is declared in this crypto map (1.1.1.2), multiple peers can exist within a given crypto map.

Step 4: Apply Crypto Map To The Public Interface

The final step is to apply the crypto map to the router's outgoing interface, which here is FastEthernet 0/1.

Note that you can assign only one crypto map to an interface.
As soon as we apply crypto map on the interface, the router sends a message that confirms
isakmp is on: "ISAKMP is ON."
At this point, we have completed the IPSec VPN configuration on the Site 1 router.
We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being the peer IP Addresses and access lists:

R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400

R2(config)# crypto isakmp key firewallcx address 1.1.1.1
R2(config)# ip access-list extended VPN-TRAFFIC
R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(config)# crypto map CMAP 10 ipsec-isakmp R2(config-crypto-map)# set peer 1.1.1.1 R2(config-crypto-map)# set transform-set TS R2(config-crypto-map)# match address VPN-TRAFFIC

R2(config)# interface FastEthernet0/1
R2(config-if)# crypto map CMAP

Network Address Translation (NAT) and IPSec VPN Tunnels

Network Address Translation (NAT) is most likely to be configured to provide Internet access to internal hosts. When configuring a Site-to-Site VPN tunnel, it is imperative to instruct the router not to perform NAT (deny NAT) on packets destined for the remote VPN network(s).

Establishing And Verifying the IPSec VPN Tunnel

We've completed our configuration, and the VPN Tunnel is ready to be brought up. To initiate the VPN Tunnel, we need to force one packet to traverse the VPN, and this can be achieved by pinging from one router to another:

The first icmp echo (ping) received a timeout, but the rest received a reply, as expected. The time required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first ping to timeout.

To verify the VPN Tunnel, use the show crypto session command:

This completes our tutorial on setting up and configuring two Cisco routers to create a permanent secure site-to-site VPN tunnel over the Internet using the IP Security (IPSec) protocol.

Reference no: EM133996829

Questions Cloud

Describe the active teaching strategy you have chosen to use : Identify and briefly describe the active teaching strategy you have chosen to use at the nursing school where you are completing your practicum hours.
Definition for mtss : Provide a description/definition for MTSS. What do you understand it to be, accomplish, or support? How does one participate in the MTSS process?
What would be reasonable projected cycling power to achieve : You are performing the Ebbeling test on a 25 year-old client. What would be a reasonable projected cycling power to achieve?
Explain the capital decision-making process : Describe the kinds of decisions made in capital investment decision analysis. Explain the capital decision-making process and how you accept or reject a project
Configure and verify a site-to-site ipsec vpn tunnel : Network Security Implementation Lab Tutorial - Configure and verify a Site-to-Site IPsec VPN Tunnel
Incorporate diversity and inclusion practices : Describe a 5-10 minute small group activity that would incorporate diversity and inclusion practices to help form a culturally responsive classroom
Describe event that you think might affect a small business : In your post, please, describe the event that you think might affect a small business (be specific). If it is a positive event, predict the possible risks.
Central debate about why homosexuality occurs : What is the central debate about why homosexuality occurs? nature versus nurture early childhood experiences versus adulthood experiences
Discussion in classroom in era of high-stakes testing : What are the benefits of discussion in the classroom in an era of high-stakes testing? What topics in social studies do you believe lend themselves to this t

Reviews

Write a Review

 

Computer Networking Questions & Answers

  Networking and types of networking

This assignment explains the networking features, different kinds of networks and also how they are arranged.

  National and Global economic environment and ICICI Bank

While working in an economy, it has a separate identity but cannot operate insolently.

  Ssh or openssh server services

Write about SSH or OpenSSH server services discussion questions

  Network simulation

Network simulation on Hierarchical Network Rerouting against wormhole attacks

  Small internet works

Prepare a network simulation

  Solidify the concepts of client/server computing

One-way to solidify the concepts of client/server computing and interprocess communication is to develop the requirements for a computer game which plays "Rock, Paper, Scissors" using these techniques.

  Identify the various costs associated with the deployment

Identify the various costs associated with the deployment, operation and maintenance of a mobile-access system. Identify the benefits to the various categories of user, arising from the addition of a mobile-access facility.

  Describe how the modern view of customer service

Describe how the greater reach of telecommunication networks today affects the security of resources which an organisation provides for its employees and customers.

  Technology in improving the relationship building process

Discuss the role of Technology in improving the relationship building process Do you think that the setting of a PR department may be helpful for the ISP provider? Why?

  Remote access networks and vpns

safekeeping posture of enterprise (venture) wired and wireless LANs (WLANs), steps listed in OWASP, Securing User Services, IPV4 ip address, IPV6 address format, V4 address, VPN, Deploying Voice over IP, Remote Management of Applications and Ser..

  Dns

problems of IPV, DNS server software, TCP SYN attack, Ping of Death, Land attack, Teardrop attack, Smurf attack, Fraggle attack

  Outline the difference between an intranet and an extranet

Outline the difference between an intranet and an extranet A programmer is trying to produce an applet with the display shown in Figure 1 below such that whenever one of the checkboxes is selected the label changes to indicate correctly what has..

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +91-977-207-8620

Phone: +91-977-207-8620

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd