Site to Site Virtual Private Network Configuration

by | Jul 13, 2016 | VPN Free Study Material | 0 comments

Site to Site VPN Configuration with PRE Shared Key

Recommended Read:

Site to Site VPN

To understand Site to Site VPN let’s take an example of an organization who has offices in multiple locations. The primary requirement of any organization will be to have easy and secure connectivity between branches so that the resources can be shared and employees can collaborate in a better way. Secure VoIP deployment between branches is also very commonly required so that workers can make calls between branches. The distance between branches is generally long so we will require some service provider to connect them. For this we have two solutions:

  1. Leased Line

There are many telecommunication companies which provide leased line services. They can provide connectivity solutions, but they charge based on speed and distance between the branches. If distance is too long or you want high-speed cost will go up.

Leased line characteristics:-

  1. Isolated from outside world
  2. Link speed will be slow
  3. More Security
  1. Broadband Internet Connection

This solution is also provided by same telecommunication companies which provide leased line services. The only difference is we are connected through a public network i.e. Internet.

Broadband Internet characteristics:-

  1. Direct connectivity with outside world
  2. High-speed connectivity
  3. Less security as compares to leased line

When we purchase anything cost plays an important role in the decision. Let’s have a look at these solutions and decide our requirements:

  1. We want direct connectivity with the world through internet.
  2. We want a high-speed link.
  3. We also want security for data going between branches.

A broadband connection is fulfilling first 2 requirements the only problem is security. To improve security VPN is used. Site to Site VPN enables two sites to communicate each other in a secure way over an insecure network (Internet).

site to site vpn configuration

Figure-2-1

Site to Site VPN Working:- 

  • PC1 wants to communicate with PC2.
  • PC1 will generate a packet with 192.168.101.100 source and 192.168.102.100 as its destination. That packet will be delivered to the gateway.
  • Gateway will check its destination IP and packet will be routed to exit interface. When the packet arrives at exit interface there is a crypto map that router will check the packet against. If a packet matches with crypto map access-list, it should be encrypted and hashed. Otherwise, packet will be routed towards the internet without encryption.
  • Afterward router will check SA with the peer. If SA is not found then initiator will send the proposal to responder peer using ISAKMP UDP port 500.
  • IKE phase1 and Phase2 will be performed. When Phase 2 completes, protected data will be delivered to peer.

IOS Site to Site VPN With Pre-Shared

VPN SITE TO SITE PRE SHARED

R1

interface fastEthernet 0/0 
no shutdown 
ip add 192.168.101.1 255.255.255.0 
no shutdown 
int s0/0 
no shutdown 
ip add 101.1.1.100 255.255.255.0 
no shutdown 
ip route 0.0.0.0 0.0.0.0 101.1.1.1

ISP

interface s0/0 
no shutdown 
ip add 101.1.1.1 255.255.255.0 
no shutdown 
int s0/1 
no shutdown 
ip add 102.1.1.1 255.255.255.0 
no shutdown

R2

interface fastEthernet 0/0 
no shutdown 
ip add 192.168.102.1 255.255.255.0 
no shutdown 
int s0/0 
no shutdown 
ip add 102.1.1.100 255.255.255.0 
no shutdown 
ip route 0.0.0.0 0.0.0.0 102.1.1.1

R1

R1#ping 192.168.101.1 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 192.168.101.1, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 4/4/8 ms
 
R1#ping 102.1.1.100 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 102.1.1.100, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 1/26/80 ms

R2

R2#ping 192.168.102.1 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 192.168.102.1, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 4/4/4 ms
 
R2#ping 101.1.1.100 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 101.1.1.100, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 1/22/80 ms

R1

crypto isakmp policy 1 
authentication pre-share encryption aes hash sha group 5 lifetime 1800 
crypto isakmp key shiva add 102.1.1.100 
crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel 
exit 
crypto ipsec security-association lifetime seconds 1800 
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255 
crypto map test 10 ipsec-isakmp set transform-set t-set set peer 102.1.1.100 match address 101 
int s0/0 
crypto map test R2 
crypto isakmp policy 1 
authentication pre-share encryption aes hash sha group 5 lifetime 1800 
crypto isakmp key shiva add 101.1.1.100 
crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel 
exit 
crypto ipsec security-association lifetime seconds 1800 
access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255 
crypto map test 10 ipsec-isakmp set transform-set t-set set peer 101.1.1.100 match address 102 
int s0/0 
crypto map test

R1

R1#ping 192.168.102.1 source fastEthernet 0/0 repeat 100 
#Type escape sequence to abort. 
#Sending 100, 100-byte ICMP Echos to 192.168.102.1, 
#timeout is 2 seconds: Packet sent with a source address of 192.168.101.1 #.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 99 percent (99/100), round-trip min/avg/max = 16/44/80 ms

R2

R2#ping 192.168.101.1 source fastEthernet 0/0 repeat 100 
#Type escape sequence to abort. 
#Sending 100, 100-byte ICMP Echos to 192.168.101.1, 
#timeout is 2 seconds: Packet sent with a source address of 192.168.102.1 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
#Success rate is 100 percent (100/100), 
#round-trip min/avg/max = 28/45/72 ms 

R1

R1#sh crypto isakmp sa IPv4 
Crypto ISAKMP SA 
#dst src state conn-id slot status 102.1.1.100 101.1.1.100 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA 
R1#sh crypto ipsec sa 
#interface: Serial0/0 Crypto map tag: test, 
#local addr 101.1.1.100 protected vrf: (none) 
#local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0) 
#remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0) 
#current_peer 102.1.1.100 port 500 PERMIT, flags={origin_is_acl,} 
#pkts encaps: 199, 
#pkts encrypt: 199, 
#pkts digest: 199 
#pkts decaps: 199, 
#pkts decrypt: 199, 
#pkts verify: 199 
#pkts compressed: 0, 
#pkts decompressed: 0 
#pkts not compressed: 0, 
#pkts compr. failed: 0 
#pkts not decompressed: 0, 
#pkts decompress failed: 0 
#send errors 1, 
#recv errors 0 local crypto endpt.: 101.1.1.100, 
#remote crypto endpt.: 102.1.1.100 
#path mtu 1500, ip mtu 1500, 
#ip mtu idb Serial0/0 current outbound spi: 0xF076E10C(4034322700) inbound esp sas: spi: 0x105977A5(274298789) 
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, crypto map: test sa timing: remaining key lifetime (k/sec): (4529522/1705) 
#IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xF076E10C(4034322700) 
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, crypto map: test sa timing: remaining key lifetime (k/sec): (4529522/1704) 
#IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:

R2

R2#sh crypto isakmp sa IPv4 
Crypto ISAKMP SA 
#dst src state conn-id slot status 102.1.1.100 101.1.1.100 QM_IDLE 1001 0 ACTIVE 
#IPv6 Crypto ISAKMP SA 
R2#sh crypto ipsec sa interface: Serial0/0 
#Crypto map tag: test, 
#local addr 102.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0) 
#remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0) 
#current_peer 101.1.1.100 port 500 PERMIT, flags={origin_is_acl,} 
#pkts encaps: 199, 
#pkts encrypt: 199, 
#pkts digest: 199 
#pkts decaps: 199, 
#pkts decrypt: 199, 
#pkts verify: 199 
#pkts compressed: 0, 
#pkts decompressed: 0 
#pkts not compressed: 0, 
#pkts compr. failed: 0 
#pkts not decompressed: 0, 
#pkts decompress failed: 0 
#send errors 0, 
#recv errors 0 local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100 
#path mtu 1500, 
#ip mtu 1500, 
#ip mtu idb Serial0/0 current outbound spi: 0x105977A5(274298789) inbound esp sas: spi: 0xF076E10C(4034322700) 
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, crypto map: test sa timing: remaining key lifetime (k/sec): (4575113/1662) 
#IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x105977A5(274298789) 
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, crypto map: test sa timing: remaining key lifetime (k/sec): (4575113/1661) 
#IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:

baldev

Register for Free Demo Session