How to Configure Site to Site VPN on Cisco Routers

BR1: 

1) Configure the ISAKMP Tunnel From BR1 to BR2 router ( Phase1).

BR1(config)# crypto isakmp policy 1
BR1(config-isakmp)# encryption 3des
BR1(config-isakmp)# hash md5
BR1(config-isakmp)# authentication pre-share
BR1(config-isakmp)# group 2
BR1(config-isakmp)# lifetime 86400

BR1(config)# crypto isakmp key Cisco123 address 1.1.1.2

2) Configure IPSEC Tunnel From BR1 to BR2 router ( Phase2).

BR1(config)# crypto ipsec transform-set BR1toBR2 esp-3des esp-md5-hmac

3) Configure the traffic that need to be encrypted from BR1 to BR2 router ( Interesting Traffic).

BR1(config)# ip access-list extended BR1toBR2ACL
BR1(config-ext-nacl)# permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255

4) Combine all the parameters ( Phase1, Phase 2 and Interesting traffic) using crypto map.

BR1(config)# crypto map BR1 5 ipsec-isakmp
BR1(config-crypto-map)# set peer 1.1.1.2
BR1(config-crypto-map)# set transform-set BR1toBR2
BR1(config-crypto-map)# match address BR1toBR2ACL

5) Apply on the interface which is connected to the Internet or from which traffic goes to the peer router.

BR1(config)# interface g0/1

BR1(config-if)# crypto map BR1



BR2:

1) Configure the ISAKMP Tunnel From BR2 to BR1 router ( Phase1).

BR1(config)# crypto isakmp policy 1
BR1(config-isakmp)# encryption 3des
BR1(config-isakmp)# hash md5
BR1(config-isakmp)# authentication pre-share
BR1(config-isakmp)# group 2
BR1(config-isakmp)# lifetime 86400

BR1(config)# crypto isakmp key Cisco123 address 1.1.1.1

2) Configure IPsec Tunnel From BR2 to BR1 router ( Phase2).

BR1(config)# crypto ipsec transform-set BR2toBR1 esp-3des esp-md5-hmac

3) Configure the traffic that needs to be encrypted from BR2 to BR1 router ( Interesting Traffic).

BR1(config)# ip access-list extended BR2toBR1ACL
BR1(config-ext-nacl)# permit ip 20.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

4) Combine all the parameters ( Phase1, Phase 2 and Interesting traffic) using crypto map.

BR1(config)# crypto map BR2 5 ipsec-isakmp
BR1(config-crypto-map)# set peer 1.1.1.1
BR1(config-crypto-map)# set transform-set BR2toBR1
BR1(config-crypto-map)# match address BR2toBR1ACL

5) Apply on the interface which is connected to the Internet or from which traffic goes to the peer router.

BR1(config)# interface g0/1

BR1(config-if)# crypto map BR2

Verification:

BR1# show crypto session

BR2# show crypto session

Note: We can configure only one crypto map on each interface if you want to configure multiple site to site tunnels on the same router then you can use Crypto map with different sequence numbers for each tunnel.


Md.Kareemoddin

CCIE # 54759

Ref: Cisco.com

0 Comments