Site to Site Virtual Private Network Configuration

Site to Site VPN Configuration with PRE Shared Key
Recommended Read:
- What is VPN-Virtual Private Network.
- Types and classification of VPN.
- All about Cisco CCNA, CCNP and CCIE you must know.
Site to Site VPN
To understand Site to Site VPN let’s take an example of an organization who has offices in multiple locations. The primary requirement of any organization will be to have easy and secure connectivity between branches so that the resources can be shared and employees can collaborate in a better way. Secure VoIP deployment between branches is also very commonly required so that workers can make calls between branches. The distance between branches is generally long so we will require some service provider to connect them. For this we have two solutions:
- Leased Line
There are many telecommunication companies which provide leased line services. They can provide connectivity solutions, but they charge based on speed and distance between the branches. If distance is too long or you want high-speed cost will go up.
Leased line characteristics:-
- Isolated from outside world
- Link speed will be slow
- More Security
- Broadband Internet Connection
This solution is also provided by same telecommunication companies which provide leased line services. The only difference is we are connected through a public network i.e. Internet.
Broadband Internet characteristics:-
- Direct connectivity with outside world
- High-speed connectivity
- Less security as compares to leased line
When we purchase anything cost plays an important role in the decision. Let’s have a look at these solutions and decide our requirements:
- We want direct connectivity with the world through internet.
- We want a high-speed link.
- We also want security for data going between branches.
A broadband connection is fulfilling first 2 requirements the only problem is security. To improve security VPN is used. Site to Site VPN enables two sites to communicate each other in a secure way over an insecure network (Internet).
Figure-2-1
Site to Site VPN Working:-
- PC1 wants to communicate with PC2.
- PC1 will generate a packet with 192.168.101.100 source and 192.168.102.100 as its destination. That packet will be delivered to the gateway.
- Gateway will check its destination IP and packet will be routed to exit interface. When the packet arrives at exit interface there is a crypto map that router will check the packet against. If a packet matches with crypto map access-list, it should be encrypted and hashed. Otherwise, packet will be routed towards the internet without encryption.
- Afterward router will check SA with the peer. If SA is not found then initiator will send the proposal to responder peer using ISAKMP UDP port 500.
- IKE phase1 and Phase2 will be performed. When Phase 2 completes, protected data will be delivered to peer.
IOS Site to Site VPN With Pre-Shared
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
ISP
interface s0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int s0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
R1
R1#ping 192.168.101.1
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 192.168.101.1,
#timeout is 2 seconds: !!!!!
#Success rate is 100 percent (5/5),
#round-trip min/avg/max = 4/4/8 ms
R1#ping 102.1.1.100
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 102.1.1.100,
#timeout is 2 seconds: !!!!!
#Success rate is 100 percent (5/5),
#round-trip min/avg/max = 1/26/80 ms
R2
R2#ping 192.168.102.1
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 192.168.102.1,
#timeout is 2 seconds: !!!!!
#Success rate is 100 percent (5/5),
#round-trip min/avg/max = 4/4/4 ms
R2#ping 101.1.1.100
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 101.1.1.100,
#timeout is 2 seconds: !!!!!
#Success rate is 100 percent (5/5),
#round-trip min/avg/max = 1/22/80 ms
R1
crypto isakmp policy 1
authentication pre-share encryption aes hash sha group 5 lifetime 1800
crypto isakmp key shiva add 102.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel
exit
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
crypto map test 10 ipsec-isakmp set transform-set t-set set peer 102.1.1.100 match address 101
int s0/0
crypto map test R2
crypto isakmp policy 1
authentication pre-share encryption aes hash sha group 5 lifetime 1800
crypto isakmp key shiva add 101.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel
exit
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
crypto map test 10 ipsec-isakmp set transform-set t-set set peer 101.1.1.100 match address 102
int s0/0
crypto map test
R1
R1#ping 192.168.102.1 source fastEthernet 0/0 repeat 100
#Type escape sequence to abort.
#Sending 100, 100-byte ICMP Echos to 192.168.102.1,
#timeout is 2 seconds: Packet sent with a source address of 192.168.101.1 #.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 99 percent (99/100), round-trip min/avg/max = 16/44/80 ms
R2
R2#ping 192.168.101.1 source fastEthernet 0/0 repeat 100
#Type escape sequence to abort.
#Sending 100, 100-byte ICMP Echos to 192.168.101.1,
#timeout is 2 seconds: Packet sent with a source address of 192.168.102.1 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 100 percent (100/100),
#round-trip min/avg/max = 28/45/72 ms
R1
R1#sh crypto isakmp sa IPv4
Crypto ISAKMP SA
#dst src state conn-id slot status 102.1.1.100 101.1.1.100 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA
R1#sh crypto ipsec sa
#interface: Serial0/0 Crypto map tag: test,
#local addr 101.1.1.100 protected vrf: (none)
#local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
#remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
#current_peer 102.1.1.100 port 500 PERMIT, flags={origin_is_acl,}
#pkts encaps: 199,
#pkts encrypt: 199,
#pkts digest: 199
#pkts decaps: 199,
#pkts decrypt: 199,
#pkts verify: 199
#pkts compressed: 0,
#pkts decompressed: 0
#pkts not compressed: 0,
#pkts compr. failed: 0
#pkts not decompressed: 0,
#pkts decompress failed: 0
#send errors 1,
#recv errors 0 local crypto endpt.: 101.1.1.100,
#remote crypto endpt.: 102.1.1.100
#path mtu 1500, ip mtu 1500,
#ip mtu idb Serial0/0 current outbound spi: 0xF076E10C(4034322700) inbound esp sas: spi: 0x105977A5(274298789)
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, crypto map: test sa timing: remaining key lifetime (k/sec): (4529522/1705)
#IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xF076E10C(4034322700)
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, crypto map: test sa timing: remaining key lifetime (k/sec): (4529522/1704)
#IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
R2
R2#sh crypto isakmp sa IPv4
Crypto ISAKMP SA
#dst src state conn-id slot status 102.1.1.100 101.1.1.100 QM_IDLE 1001 0 ACTIVE
#IPv6 Crypto ISAKMP SA
R2#sh crypto ipsec sa interface: Serial0/0
#Crypto map tag: test,
#local addr 102.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
#remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
#current_peer 101.1.1.100 port 500 PERMIT, flags={origin_is_acl,}
#pkts encaps: 199,
#pkts encrypt: 199,
#pkts digest: 199
#pkts decaps: 199,
#pkts decrypt: 199,
#pkts verify: 199
#pkts compressed: 0,
#pkts decompressed: 0
#pkts not compressed: 0,
#pkts compr. failed: 0
#pkts not decompressed: 0,
#pkts decompress failed: 0
#send errors 0,
#recv errors 0 local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100
#path mtu 1500,
#ip mtu 1500,
#ip mtu idb Serial0/0 current outbound spi: 0x105977A5(274298789) inbound esp sas: spi: 0xF076E10C(4034322700)
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, crypto map: test sa timing: remaining key lifetime (k/sec): (4575113/1662)
#IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x105977A5(274298789)
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, crypto map: test sa timing: remaining key lifetime (k/sec): (4575113/1661)
#IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: