Configuring a Site-to-Site VPN Between Two Cisco Routers

Configuring a Site-to-Site VPN Between Two Cisco Routers The virtual private networks (VPN) that connects two sites (VPN) allows you to maintain an secure “always-on” connection between two physically distinct websites using an unsecure network like internet.  The connection between two websites is transmitted through an encrypted channel to guard from spies or other forms of attacks on your data.

This configuration requires the use of an IOS program image, which is compatible with cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.

There are a range of protocols utilized to create the VPN which includes protocols utilized for key exchanges among peers. Other protocols are that are used to secure the tunnel and also hashing technology that produces digests for messages.

VPN Protocols

IPsec Internet Protocol Security (IPSec) is a set of protocols used to protect IP communication. IPSec is an amalgamation of key exchanges and also being a tunnel encryption. It is possible to consider IPSec as a means of the application in protection. When creating an VPN based on IPSec, you’re capable of choosing from a variety of security strategies to make your tunnel.

Internet Security Association and Key Management Protocol (ISAKMP)

ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides an option to authenticate other parties to ensure secure exchanges. It generally uses Internet Key Exchange (IKE) however other protocols are an option. Public keys or keys shared with pre-shared keys are used to authenticate other parties in exchange.Configuring a Site-to-Site VPN Between Two Cisco Routers 

Message digest algorithms 5

MD5: Message digest algorithms 5. (MD5) is an often employed, but generally insecure cryptographic hash algorithm that includes 128 bits in hash. The cryptographic hash algorithm is used to use an undetermined amount of information, and return it in a fixed bit string, which is dependent on the initial chunk of data. The process of hashing is designed so that any change to the data may change its hash values. The value that is hashed is referred to as”the message digest.

Secure Hash Algorithm (SHA)

SHA: Secure Hash Algorithm (SHA) is a set of cryptographic algorithms developed for the use of the National Security Agency (NSA). There are three SHA algorithms, which are classified in different ways and are classified by SHA-0 and SHA-1, and the SHA-2. SHA-1 is the most frequently used hashing algorithm, and it has an average key which has at least 160 bits.

Encapsulating Security Payload (ESP)

The ESP Encapsulating Security Payload (ESP) is component of the IPsec protocol suite, which provides integrity, authenticity , as security for confidentiality packets. ESP is also able to work with encryption-only as well in authentication-only configurations. However, encryption using encryption without authentication is advised since it’s unsecure. Contrary to other IPsec protocol, Authentication Header (AH), ESP does not protect the IP header contained in the message. This is the reason why ESP is the most preferred protocol for your Network Address Translation configuration. ESP is directly over IP via IP Protocol 50.

Data Encryption Standard (DES)

DES refers to the Data Encryption Standard (DES) is a 56-bit encryption technology. It’s no anymore considered to be a safe protocol because its tiny key length, which makes it susceptible to brute force attacks.


3DES The term 3DES DES was designed to remove the weak points and limitations of DES by making use of 3 distinct keys of 56 bits that are used for encryption and encryption as well as the re-encrypting process. 3DES keys have a length of 168 bits. When using 3DES it is encrypted initially by using a 56-bit key. After that, it is encrypted using a different 56-bit key. The result is then encrypted using an additional key of 56 bits.

Advanced Encryption Standard (AES)

AES can be described as an encryption standard. Advanced Encryption Standard (AES) was designed to be a replacement of DES and 3DES. It has a range of key lengths and is believed to be 6 times faster over 3DES.

HMAC Hashing Message Authentication code (HMAC) can be described as a form that is a message-authentication code (MAC). HMAC is calculated by using an algorithm that is specific to it, which includes an algorithm for cryptographic hashing together with the secret key.

Configuring a Site-to-Site VPN

The procedure of creating an VPN which connects a website to another takes many steps:

Phase One setting up is the process of creating an exchange for keys. This process makes use of ISAKMP in order to establish the algorithm used for hashing and also the method of authentication. It’s the second of two locations where you must determine who is in the other. In this scenario, we’ve selected SHA as the algorithm we will use to hash because of its more robust natureand key of 160 bits. It is important to note that the key “vpnkey” must be identical across both sides of the tunnel. The code “” is the outside network interface of the router, situated at the opposite side of the tunnel.Configuring a Site-to-Site VPN Between Two Cisco Routers.

One example for the phase sample:

tukwila(config)#crypto isakmp policy 10

tukwila(config-isakmp)#hash sha

tukwila(config-isakmp)#authentication pre-share

tukwila(config-isakmp)#crypto isakmp key vpnkey address

Phase Two setup is all about creating an encrypted tunnel. In the phase Two configuration, you will make and determine the transform set that will determine the encryption protocols employed to build the secure channel. In addition, you need to create a crypto map that will help will determine the peer on the other side that the tunnel.

It is also necessary to identify the transform set that you will be using the encryption protocol, and also indicate an access list to be used to define the traffic flow that is allowed. In this instance , we’ve chosen AES because of its superior efficiency and security. The expression “set peer” identifies the network interface that is external to the router that is located on the opposite end of the tunnel. The phrase “set transform-set vpnset” tells that the router to employ the parameters specified in the transform-set-vpnset for tunnel. “match address 100” is the “match address 100” statement is used to connect the tunnel to the access-list 100. The access-list will be determined later.

Sample phase two configuration:

tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac


tukwila(config)#crypto map vpnset 10 ipsec-isakmp

Note This brand new crypto map will be blocked until it becomes peer

as well as an access list valid have been developed.

tukwila(config-crypto-map)#set peer

tukwila(config-crypto-map)#set transform-set vpnset

tukwila(config-crypto-map)#match address 100

A crypto-map needs been applied an external interface (in this instance that is, FastEthernet’s interface). FastEthernet 4):

tukwila(config)#int f4

tukwila(config-if)#crypto map vpnset

You must create an access control list that explicitly permit traffic coming from one router’s internal LAN to be transferred through the tunnel to through the router’s internal LAN (in this instance, the router’s inside LAN address corresponds to and the outside LAN of the other router’s address is

(For more details on what format to use for lists of access control, see my other articles on the development and managing of Cisco lists of access control for routers. )

Additionally, it’s required to establish an opening gateway (also called”the “gateway for the the last final”).

Verifying VPN Connections

2 commands can be utilized to verify VPN Connections:

Router#show crypto Ipsec SA

This command gives the settings utilized by the current in-active security associations (SAs).

The Router#show Crypto isakmp

This command shows the most up-to-date IKE Security Associations.

Troubleshooting VPN Connections

After verifying your physical connectivity, you must review every aspect of your VPN connection to confirm that they are mirroring one another.

Use debugging to investigate VPN problems with connections: