Before proceeding to implement this kind of secured connectivity we need to understand what is a Site_to_Site VPN and why do we need to have it.
1.What is a Site_to_Site VPN ?
A Site_to_Site VPN is a secured connectivity between offices located in separate geographic areas
2.Why do we need it ?
Usually this kind of connectivity goes via internet and as you probably guessed already the internet is an ocean filled with sharks lurking for weak targets and in order to avoid to have our data intercepted or even worse stollen we need to secure this connectivity by encrypting the data flow and by doing that only the legitimate receptors would be able to use it .
3.Now let’s proceed to perform some magic on those routers 😊
For this exercise we’ll use the below shown topology and we’ll have two scenarios: a scenario with static routing and a scenario with dynamic routing.
Scenario A : Site_to_Site VPN using static routing
Step1:
First thing first, I’ll show you how to perform the initial configuration on all the routers from this topology.
On SiteA-VPN router we’ll configure as shown below:
SiteA_VPN(config)#ip domain-name wisdomispower.net
SiteA_VPN(config)#username authadmin1 privilege 15 secret 0nl173br4ve
SiteA_VPN(config)#service password-encryption
SiteA_VPN(config)#enable secret 0nl173br4ve
SiteA_VPN(config)#crypto key generate rsa modulus 2048
The name for the keys will be: SiteA_VPN.wisdomispower.net
SiteA_VPN(config)#ip ssh version 2
SiteA_VPN(config-line)#line vty 0 4
SiteA_VPN(config-line)#logging sync
SiteA_VPN(config-line)#login local
SiteA_VPN(config-line)#transport input ssh
SiteA_VPN(config-line)#exit
SiteA_VPN(config)#int gi0/0
SiteA_VPN(config-if)#ip add 10.10.10.1 255.255.255.252
SiteA_VPN(config-if)#no shutdown
SiteA_VPN(config-if)#exit
SiteA_VPN(config-if)#int gi1/0
SiteA_VPN(config-if)#ip add 192.168.100.1 255.255.255.0
SiteA_VPN(config-if)#no sh
SiteA_VPN(config-if)#ip dhcp pool LAN
SiteA_VPN(dhcp-config)#network 192.168.100.0 255.255.255.0
SiteA_VPN(dhcp-config)#default-router 192.168.100.1
SiteA_VPN(dhcp-config)#exit
SiteA_VPN(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2
SiteA_VPN(config)#exit
SiteA_VPN#write
On R2 router we'll configure :
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip domain-name wisdomispower.net
R2(config)#username authadmin1 privilege 15 secret 0nl173br4ve
R2(config)#service password-encryption
R2(config)#enable secret 0nl173br4ve
R2(config)#crypto key generate rsa modulus 2048
The name for the keys will be: R2.wisdomispower.net
R2(config)#
R2(config)#ip ssh version 2
R2(config)#line vty 0 4
R2(config-line)#logging sync
R2(config-line)#login local
R2(config-line)#transport input ssh
R2(config-line)#exit
R2(config)#int gi0/0
R2(config-if)#ip add 10.10.10.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
R2(config-if)#int gi1/0
R2(config-if)#ip add 10.0.10.1 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
R2(config-if)#ip route 0.0.0.0 0.0.0.0 10.0.10.2
R2(config)#exit
R2#
R2#write
On R3 router we’ll configure:
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip domain-name wisdomispower.net
R3(config)#username authadmin1 privilege 15 secret 0nl173br4ve
R3(config)#service password-encryption
R3(config)#enable secret 0nl173br4ve
R3(config)#crypto key generate rsa modulus 2048
The name for the keys will be: R3.wisdomispower.net
R3(config)#
R3(config)#ip ssh version 2
R3(config)#line vty 0 4
R3(config-line)#logging sync
R3(config-line)#login local
R3(config-line)#transport input ssh
R3(config-line)#exit
R3(config)#int gi1/0
R3(config-if)#ip add 10.0.10.2 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#int gi0/0
R3(config-if)#ip add 12.12.12.2 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
R3(config-if)#ip route 0.0.0.0 0.0.0.0 10.0.10.1
R3(config)#exit
R3#write
On SiteB_VPN router we’ll configure:
SiteB_VPN#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SiteB_VPN(config)#ip domain-name wisdomispower.net
SiteB_VPN(config)#username authadmin1 privilege 15 secret 0nl173br4ve
SiteB_VPN(config)#service password-encryption
SiteB_VPN(config)#enable secret 0nl173br4ve
SiteB_VPN(config)#crypto key generate rsa modulus 2048
The name for the keys will be: SiteB_VPN.wisdomispower.net
SiteB_VPN(config)#
SiteB_VPN(config)#ip ssh version 2
SiteB_VPN(config)#line vty 0 4
SiteB_VPN(config-line)#logging sync
SiteB_VPN(config-line)#login local
SiteB_VPN(config-line)#transport input ssh
SiteB_VPN(config-line)#exit
SiteB_VPN(config)#int gi0/0
SiteB_VPN(config-if)#ip add 12.12.12.1 255.255.255.252
SiteB_VPN(config-if)#no shutdown
SiteB_VPN(config-if)#
SiteB_VPN(config-if)#exit
SiteB_VPN(config)#ip route 0.0.0.0 0.0.0.0 12.12.12.2
SiteB_VPN(config)#int gi1/0
SiteB_VPN(config-if)#ip add 192.168.200.1 255.255.255.0
SiteB_VPN(config-if)#no shutdown
SiteB_VPN(config-if)#
SiteB_VPN(config-if)#
SiteB_VPN(config-if)#ip dhcp pool LAN
SiteB_VPN(dhcp-config)#network 192.168.200.0 255.255.255.0
SiteB_VPN(dhcp-config)#default-router 192.168.200.1
SiteB_VPN(dhcp-config)#exit
SiteB_VPN(config)#exit
SiteB_VPN#w
SiteB_VPN#write
SiteB_VPN#
Now that we’ve done the initial setup for all these routers let’s check if there is end to end connectivity
SiteB_VPN#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/44/88 ms
SiteB_VPN#
Step2 – Now let’s proceed with VPN Setup
On SiteA_VPN router we’ll configure as follows:
SiteA_VPN#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SiteA_VPN(config)#crypto isakmp policy 1
SiteA_VPN(config-isakmp)#authentication pre-share
SiteA_VPN(config-isakmp)#encryption 3des
SiteA_VPN(config-isakmp)#hash sha
SiteA_VPN(config-isakmp)#group 2
SiteA_VPN(config-isakmp)#lifetime 84000
SiteA_VPN(config-isakmp)#exit
SiteA_VPN(config)#crypto ipsec transform-set Site_A esp-3des esp-md5-hmac
SiteA_VPN(cfg-crypto-trans)#exit
SiteA_VPN(config)#ip access-list extended ACL-SITEA2SITEB
SiteA_VPN(config-ext-nacl)#permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
SiteA_VPN(config-ext-nacl)#exit
SiteA_VPN(config)#crypto isakmp key cisco12345 address 12.12.12.1
SiteA_VPN(config)#crypto map SiteA_VPN 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SiteA_VPN(config-crypto-map)#set peer 12.12.12.1
SiteA_VPN(config-crypto-map)#set transform-set Site_A
SiteA_VPN(config-crypto-map)#match address ACL-SITEA2SITEB
SiteA_VPN(config-crypto-map)#int gi0/0
SiteA_VPN(config-if)#crypto map SiteA_VPN
SiteA_VPN(config-if)#
*Jul 31 09:31:39.491: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
SiteA_VPN(config-if)#
SiteA_VPN(config-if)#exit
SiteA_VPN(config)#exit
SiteA_VPN#
SiteA_VPN#write
On SiteB_VPN router we’ll configure as follows:
SiteB_VPN#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SiteB_VPN(config)#crypto isakmp policy 1
SiteB_VPN(config-isakmp)#authentication pre-share
SiteB_VPN(config-isakmp)#encryption 3des
SiteB_VPN(config-isakmp)#hash sha
SiteB_VPN(config-isakmp)#group 2
SiteB_VPN(config-isakmp)#lifetime 84000
SiteB_VPN(config-isakmp)#exit
SiteB_VPN(config)#crypto ipsec transform-set Site_B esp-3des esp-md5-hmac
SiteB_VPN(cfg-crypto-trans)#exit
SiteB_VPN(config)#ip access-list extended ACL-SITEB2SITEA
SiteB_VPN(config-ext-nacl)#$192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
SiteB_VPN(config-ext-nacl)#exit
SiteB_VPN(config)#crypto isakmp key cisco12345 address 10.10.10.1
SiteB_VPN(config)#crypto map SiteB_VPN 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SiteB_VPN(config-crypto-map)#set peer 10.10.10.1
SiteB_VPN(config-crypto-map)#set transform-set Site_B
SiteB_VPN(config-crypto-map)#match address ACL-SITEB2SITEA
SiteB_VPN(config-crypto-map)#int gi0/0
SiteB_VPN(config-if)#crypto map SiteB_VPN
SiteB_VPN(config-if)#
*Jul 31 09:22:30.059: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
SiteB_VPN(config-if)#exit
SiteB_VPN(config)#exit
SiteB_VPN#
SiteB_VPN#write
Building configuration...
[OK]
SiteB_VPN#
Now that we’ve completed our setup let’s check if there is connectivity between those LAN networks
Now let’s visualize our newly created VPN instance on both routers
SiteA_VPN#show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 12.12.12.1 port 500
IKEv1 SA: local 10.10.10.1/500 remote 12.12.12.1/500 Active
IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 192.168.200.0/255.255.255.0
Active SAs: 2, origin: crypto map
SiteB_VPN#show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 10.10.10.1 port 500
IKEv1 SA: local 12.12.12.1/500 remote 10.10.10.1/500 Active
IPSEC FLOW: permit ip 192.168.200.0/255.255.255.0 192.168.100.0/255.255.255.0
Active SAs: 2, origin: crypto map
Scenario B – Site_to_Site VPN using dynamic routing
In essence anything that have to be done is static routes removal from all routers and dynamic routing using OSPF protocol enabling on all routers
On SiteA_VPN router we’ll configure as follows:
SiteA_VPN#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SiteA_VPN(config)#no ip route 0.0.0.0 0.0.0.0 10.10.10.2
SiteA_VPN(config)#do sh ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 10.10.10.1 YES manual up up
GigabitEthernet1/0 192.168.100.1 YES manual up up
GigabitEthernet2/0 unassigned YES unset administratively down down
GigabitEthernet3/0 unassigned YES unset administratively down down
GigabitEthernet4/0 unassigned YES unset administratively down down
GigabitEthernet5/0 unassigned YES unset administratively down down
GigabitEthernet6/0 unassigned YES unset administratively down down
SiteA_VPN(config)#router ospf 123
SiteA_VPN(config-router)#router-id 10.10.10.1
SiteA_VPN(config-router)#log ad
SiteA_VPN(config-router)#log
SiteA_VPN(config-router)#log-adjacency-changes
SiteA_VPN(config-router)#network 10.10.10.0 0.0.0.3 area 0
SiteA_VPN(config-router)#network 192.168.100.0 0.0.0.255 area 0
SiteA_VPN(config-router)#exit
SiteA_VPN(config)#exit
SiteA_VPN#write
On R2 router we’ll configure:
R2#show run | s route
ip source-route
ip route 0.0.0.0 0.0.0.0 10.0.10.2
R2#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 10.10.10.2 YES manual up up
GigabitEthernet1/0 10.0.10.1 YES manual up up
GigabitEthernet2/0 unassigned YES unset administratively down down
GigabitEthernet3/0 unassigned YES unset administratively down down
GigabitEthernet4/0 unassigned YES unset administratively down down
GigabitEthernet5/0 unassigned YES unset administratively down down
GigabitEthernet6/0 unassigned YES unset administratively down down
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no ip route 0.0.0.0 0.0.0.0 10.0.10.2
R2(config)#router ospf 123
R2(config-router)#router-id 10.0.10.1
R2(config-router)#log-adjacency-changes
R2(config-router)#network 10.10.10.0 0.0.0.3 area 0
R2(config-router)#
*Jul 31 09:59:09.287: %OSPF-5-ADJCHG: Process 123, Nbr 10.10.10.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done
R2(config-router)#network 10.0.10.0 0.0.0.3 area 0
R2(config-router)#exit
R2(config)#exit
R2#write
On R3 router we’ll configure:
R3#sh run | s route
ip source-route
ip route 0.0.0.0 0.0.0.0 10.0.10.1
R3#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 12.12.12.2 YES manual up up
GigabitEthernet1/0 10.0.10.2 YES manual up up
GigabitEthernet2/0 unassigned YES unset administratively down down
GigabitEthernet3/0 unassigned YES unset administratively down down
GigabitEthernet4/0 unassigned YES unset administratively down down
GigabitEthernet5/0 unassigned YES unset administratively down down
GigabitEthernet6/0 unassigned YES unset administratively down down
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#no ip route 0.0.0.0 0.0.0.0 10.0.10.1
R3(config)#router ospf 123
R3(config-router)#router-id 10.0.10.2
R3(config-router)#log-adjacency-changes
R3(config-router)#network 10.0.10.0 0.0.0.3 area 0
R3(config-router)#net
*Jul 31 09:58:29.819: %OSPF-5-ADJCHG: Process 123, Nbr 10.0.10.1 on GigabitEthernet1/0 from LOADING to FULL, Loading Done
R3(config-router)#network 12.12.12.0 0.0.0.3 area 0
R3(config-router)#exit
R3(config)#exit
R3#write
On SiteB_VPN router we’ll configure:
SiteB_VPN#show run | s route
ip source-route
default-router 192.168.200.1
ip route 0.0.0.0 0.0.0.0 12.12.12.2
SiteB_VPN#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 12.12.12.1 YES manual up up
GigabitEthernet1/0 192.168.200.1 YES manual up up
GigabitEthernet2/0 unassigned YES unset administratively down down
GigabitEthernet3/0 unassigned YES unset administratively down down
GigabitEthernet4/0 unassigned YES unset administratively down down
GigabitEthernet5/0 unassigned YES unset administratively down down
GigabitEthernet6/0 unassigned YES unset administratively down down
SiteB_VPN#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SiteB_VPN(config)#no ip route 0.0.0.0 0.0.0.0 12.12.12.2
SiteB_VPN(config)#router ospf 123
SiteB_VPN(config-router)#router-id 12.12.12.1
SiteB_VPN(config-router)#log-adjacency-changes
SiteB_VPN(config-router)#netw
SiteB_VPN(config-router)#network 12.12.12.0 0.0.0.3 area 0
SiteB_VPN(config-router)#
*Jul 31 09:56:15.515: %OSPF-5-ADJCHG: Process 123, Nbr 10.0.10.2 on GigabitEthernet0/0 from LOADING to FULL, Loading Done
SiteB_VPN(config-router)#network 192.168.200.0 0.0.0.255 area 0
SiteB_VPN(config-router)#exit
SiteB_VPN(config)#exit
SiteB_VPN#write
After completing this setup let’s check if there is connectivity between those two LAN networks
Now let’s clear the previously established session and notice what happens when it comes back to life
SiteA_VPN#clear crypto session
SiteA_VPN#show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 12.12.12.1 port 500
IKEv1 SA: local 10.10.10.1/500 remote 12.12.12.1/500 Inactive
IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 192.168.200.0/255.255.255.0
Active SAs: 0, origin: crypto map
SiteA_VPN#show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 12.12.12.1 port 500
IKEv1 SA: local 10.10.10.1/500 remote 12.12.12.1/500 Active
IKEv1 SA: local 10.10.10.1/500 remote 12.12.12.1/500 Inactive
IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 192.168.200.0/255.255.255.0
Active SAs: 2, origin: crypto map
SiteA_VPN#
SiteB_VPN#clear crypto session
SiteB_VPN#show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 10.10.10.1 port 500
IKEv1 SA: local 12.12.12.1/500 remote 10.10.10.1/500 Inactive
IPSEC FLOW: permit ip 192.168.200.0/255.255.255.0 192.168.100.0/255.255.255.0
Active SAs: 0, origin: crypto map
SiteB_VPN#show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 10.10.10.1 port 500
IKEv1 SA: local 12.12.12.1/500 remote 10.10.10.1/500 Active
IPSEC FLOW: permit ip 192.168.200.0/255.255.255.0 192.168.100.0/255.255.255.0
Active SAs: 2, origin: crypto map
SiteB_VPN#
I hope that this demonstration has been informative for you 😊
And also I’d like to thank you for watching it 😊
Comments