In this post, I will show you how to setup a site-to-site VPN using IPSec. I read up on IPSec and its two tunnels IKE Phase 1 (Management) and IKE Phase 2 (Data) and thought the best way to understand this is to create a lab.
Above is the lab that I set up. A few things to know.
I am using BGP between R1-R2-R3. R1 is Site1 and R3 is Site2. R2 is the Internet. I’m not going to through setting up the eBGP peerings but the main thing once configured is that you can ping from Site1’s public IP address to Sites2’s public IP address. If you would like the configuration files for the basic setup including eBGP let me know and I will share them with you.
- Setup IKE Phase 1 Tunnel using the following parameters:
- Hashing= SHA
- Authentication= pre-shared key
- DH Group= 5
- Lifetime= Default
- Encryption= AES-128
2. Setup IKE Phase 2 Tunnel using the following parameters:
- Create a transform set using esp-des and esp-md5-hmac
- Create a crypto map with the peer address, reference the transform set and access-list
- Create an access-list to identify interesting traffic to encrypt using the IPSec tunnel
With connectivity already in place, we should be able to ping each sites public IP address across the Internet.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/40 ms
Also, we should try and ping each LAN PC. This is to show that at the moment we have no way of reaching each sites LAN but when we setup IPSec our data will be encapsulated and encrypted using the public addresses.
PC1 (Site 1)
No dice as expected!
PC1> ping 22.214.171.124
126.96.36.199 icmp_seq=1 timeout
188.8.131.52 icmp_seq=2 timeout
184.108.40.206 icmp_seq=3 timeout
220.127.116.11 icmp_seq=4 timeout
18.104.22.168 icmp_seq=5 timeout
PC2 (Site 2)
PC2> ping 172.16.0.2
172.16.0.2 icmp_seq=1 timeout
172.16.0.2 icmp_seq=2 timeout
172.16.0.2 icmp_seq=3 timeout
172.16.0.2 icmp_seq=4 timeout
172.16.0.2 icmp_seq=5 timeout
IKE Phase 1
Keeping in mind the Lab Objectives lets set up each of the IKE Phase 1 requirements.
First, we need to setup a isakmp policy.
Site1(config)#crypto isakmp policy 1
A good way to remember what parameters can be set in IKE Phase 1 is the word HAGLE.
Site1(config-isakmp)#encryption aes 128
I left the lifetime of the tunnel to the default here for this lab. Note that the parameters need to match on each site for the IKE Phase 1 tunnel to come up.
Next step is to set the pre shared key that will be used between the two sites. Lets use mrrobot.
Site1(config)#crypto isakmp key mrrobot address 22.214.171.124
Here we have entered the shared key to use and also the peer address we want to use it within our case Site 2.
IKE Phase 2
This tunnel is the IPSec tunnel which will be used to encrypt user data.
Site1(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac
Here we are using a transform-set with the name myset given to it and we are using esp-des for encryption (weak very weak but it will do for the lab) and esp-md5-hmas for hashing and integrity.
Next, we will set up a crypto map
Site1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Site1(config-crypto-map)#set peer 126.96.36.199
Site1(config-crypto-map)#set transform-set myset
Site1(config-crypto-map)#match address 100
Here we are telling the crypto map called mymap what peer to setup the tunnel with, the transform set to use and what interesting traffic to match.
Next setup the access-list that the crypto map is using.
Site1(config)#access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
With this access-list we are telling it to match traffic from Site 1 LAN with a destination of Site 2 LAN any other traffic that does not match this access list will be sent unencrypted.
Lastly we need to apply the crypto map to the public facing interface.
Site1(config-if)#crypto map mymap
*Mar 1 01:12:06.375: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Ok that is everything we need to configure on Site 1 for IPSec. I am not going to go through the same for Site 2 as it is pretty much the same but in reverse.
So lets test this out to see if it works if it does traffic that we tried to send earlier from Site 1’s LAN should now be successful.
Ping from PC1 to PC2
PC1> ping 192.168.0.2
192.168.0.2 icmp_seq=1 timeout
192.168.0.2 icmp_seq=2 timeout
84 bytes from 192.168.0.2 icmp_seq=3 ttl=62 time=36.000 ms
84 bytes from 192.168.0.2 icmp_seq=4 ttl=62 time=39.000 ms
84 bytes from 192.168.0.2 icmp_seq=5 ttl=62 time=43.000 ms
Success ! The first two packets that failed could be due to ARP and/or the time it took for the two Tunnels to be built.
And just to show the other side is also working.
PC2> ping 172.16.0.2
84 bytes from 172.16.0.2 icmp_seq=1 ttl=62 time=36.000 ms
84 bytes from 172.16.0.2 icmp_seq=2 ttl=62 time=42.000 ms
84 bytes from 172.16.0.2 icmp_seq=3 ttl=62 time=50.000 ms
84 bytes from 172.16.0.2 icmp_seq=4 ttl=62 time=49.000 ms
84 bytes from 172.16.0.2 icmp_seq=5 ttl=62 time=46.000 ms
IKE Phase 1 Tunnel
Site1#show crypto isakmp sa
dst src state conn-id slot status
188.8.131.52 184.108.40.206 QM_IDLE 1 0 ACTIVE
Here we see that we have an IKE Phase Tunnel Active.
IKE Phase 2 Tunnel
Site1#show crypto ipsec sa
Crypto map tag: mymap, local addr 220.127.116.11
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 18.104.22.168 port 500
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 22.214.171.124, remote crypto endpt.: 126.96.36.199
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD796A48B(3616973963)
A lot more information in the IPSec output. We can see what interface the crypto map is on. What is the local and remote addresses that are getting encrypted? The current peer. The number of packets sent and the number encrypted.
As requested from by Muadiv here is the BGP configuration on each router for this lab.
router bgp 1
neighbor 188.8.131.52 remote-as 2
router bgp 2
network 184.108.40.206 mask 255.255.255.0
network 220.127.116.11 mask 255.255.255.0
neighbor 18.104.22.168 remote-as 1
neighbor 22.214.171.124 remote-as 3
router bgp 3
neighbor 126.96.36.199 remote-as 2