How to Implement IPSec VPN based on vro

Many people asked me how to implement the IPSec VPN Technology Based on the router. I used this case to explain how to configure an IPSec VPN based on the router. Due to work requirements, it is required to establish a VPN connection between the company's Nanjing office and the Shanghai office. Network settings of Nanjing Office: Intranet IP address 10.1.1.0/24, Internet IP address 202.102.1.5/24, Intranet IP address 10.1.2.0/24, and Internet IP address 202.102.1.6/24. Follow these steps to configure www.2cto.com on both vrouters: i. Configure the encryption algorithm in IKE II. Configure the IKE key Method iii. Define the conversion set IV. Create an encryption map 5. Set the tunnel port 6. Configure the Intranet port 7. Configure the Internet port 8, configure an access list Nanjing router as follows: www.2cto.com! Service timestamps debug uptimeservice timestamps log uptimeno service password-encryption! Hostname Nanjing! Enable cisco 1. Configure the encryption algorithm www.2cto.com crypto isakmp policy 1 in IKE. Note: Generate iskamp policy number 1. Policy 1 indicates policy 1. If you want to configure more VPNs, you can write policy 2, policy3...... Encryption des Note: If you select "DES encryption", you can use "3DES" to specify three times "DES" to encrypt hash sha. Note: The hash algorithm used can also be md5 (the two ends are consistent) authentication pre-share note: tells the router to use a pre-shared password. Group 1 Note: Specify the Diffie-Hellman group. Unless you purchase a high-end router or have less VPN communication, you are advised to use the key with a length of group 1. The group Command has two parameter values: 1 and 2. Parameter Value 1 indicates that the key uses a 768-bit key. Parameter Value 2 indicates that the key uses a 1024-bit key. Obviously, the latter key is highly secure, but consumes more CPU time. Lifetime 14400 Note: Adjust the cycle of the new SA. The value is in seconds. The default value is 86400, that is, one day. It is worth noting that both vrouters must set the same SA cycle. Otherwise, after the VPN is initialized normally, it will be interrupted in a shorter SA cycle. If not set, the default value is used. Ii. Configure the IKE key method crypto isakmp identity address note: Specify the isakmp ID crypto isakmp key 654321 address 202.102.1.6 when communicating with a remote router note: return to global setting mode to determine the pre-shared key to be used and the IP address pointing to the vro at the other end of the VPN, that is, the destination vro IP address. The vro configuration on the other end is similar to the preceding command, except that the IP address is changed to 202.102.1.5. Crypto isakmp key 654321 address 192.168.1.2 Note: Use key 654321 for remote router tunneling port 192.168.1.2 III. Define conversion set crypto ipsec transform-set test1 ah-md5-hmac esp-des esp-md5-hmac note: test1 is the unique parameter of the vrouters at both ends, which is the name defined for this option combination. On the vrouters at both ends, the name can be the same or different. The preceding command defines the IPSec parameters used. To enhance security, enable the authentication header. Because both networks use private address spaces and data needs to be transmitted through tunnels, the secure Encapsulation Protocol must also be used. Finally, we need to define DES as the encryption algorithm for the secret key. You can define one or more conversion sets. 4. Create an encryption graph www.2cto.com crypto map cmap1 local-address serial 0. Note: define the encryption graph cmap1 and specify s0 as the local address crypto map cmap1 1 ipsec-isakmp Note: Use Serial Number 1 to set the encryption Graph set peer 202.102.1.6set peer 192.168.1.2 note: this is the legal IP address that identifies the peer router. Enter a similar command on the remote router, but the peer router address must be 202.102.1.5. Set transform-set test1 annotation: Identify the conversion set match address 111 used for this connection annotation: identifies the access list used for this connection. Process-max-time 200 5. Set the tunnel port www.2cto.com interface Tunnel0ip address 192.168.1.1 255.255.255.0tunnel source using destination extends map cmap 6. Set the Intranet port interface Ethernet0ip address 10.1.1.1 255.255.255.0 7. Set the Internet port interface serial0 address 202.102.1.5 255.255.255.0no ip mroute-cacheno fair-queuecrypto map cmap note: apply the password diagram you just defined to the external interface of the router. Ip classless 8. Create access list access-list 111 permit ip host 202.102.1.5 host 202.102.1.6access-list 111 permit ip host 202.102.1.6 host failed-list 111 permit ip 10.1.1.0 0.0.0.255 202.102.1.0 allow-list 111 permit ip 10.1.2.0 0.0.0.255 202.102.1.0 0.0.0.255access-list 111 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255access-list 111 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.255 note: here The access list number used in cannot be the same as any filtered access list. Different access list numbers should be used to identify VPN rules .! Line con 0 line aux 0 line vty 0 4 ============================== password ciscologin! End! The vro configuration in Shanghai is as follows :! Service timestamps debug uptimeservice timestamps log uptimeno service password-encryption! Hostname shanghai! Enable cisco !!! ------ The following configuration is used to encrypt -------- www.2cto.com crypto isakmp policy 1 generate iskamp policy number 1 encryption des select to use DES encryption or use 3DES to specify three times DES to encrypt hash sha, it can also be md5 (two-end consistency) authentication pre-sharegroup 1 specified as Diffie-Hellman group, 1 indicates 768 bits, 2 indicates 1024 bits lifetime 14400 specified security association validity period, if this parameter is not set, the default value is ------ the following configuration key method ----- crypto isakmp identity address specifies to use the isakmp ID crypto isakmp key 654321 address 202.102.1.5 to use the password for the remote router port 202.102.1.6 Key 654321 crypto isakmp key 654321 address 202.102.1.6 use the key 654321 crypto isakmp key 654321 address 192.168.1.1 for the remote router tunnel port 192.168.1.2 use the key 654321 for the remote router port 202.102.1.6! ------ The following defines a conversion set ----- crypto ipsec transform-set tset1 ah-md5-hmac esp-des esp-md5-hmac can define one or more sets !! ------- Create an encryption graph below ------ crypto map cmap1 local-address serial 0 defines the encryption graph cmap1 and specifies s0 as the local address crypto map cmap1 1 ipsec-isakmp set the encryption Graph set peer 202.102.1.5 with serial number 1 set the target address set peer 202.102.1.6set peer 192.168.1.1set transform-set test1 specify the conversion set match address 111 specify the address in encrypted access list 111 !! Process-max-time 200! ------- Set the following tunnel port ------ interface Tunnel0ip address 192.168.1.2 255.255.255.0tunnel source 202.102.1.6tunnel destination 202.102.1.5crypto map cmap! ------- Set the Intranet port ------ interface Ethernet0ip address 10.1.2.1 255.255.255.0! ------- Set the following Internet port ------ interface serial0ip address 202.102.1.6 255.255.255.0no ip mroute-cacheno fair-queuecrypto map cmap! Ip classless! ------- Create access list below 111 ------ access-list 111 permit ip host 202.102.1.5 host Authentication-list 111 permit ip host 202.102.1.6 host 202.102.1.5access-list 111 permit ip 10.1.1.0 0.0.0.255 202.102.1.0 limit-list 111 permit ip 10.1.2.0 0.0.0.255 202.102.1.0 0.0.0.255access-list 111 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255access-list 111 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.255! Line con 0 line aux 0 line vty 0 4 ============================== password ciscologin! End! Now the rest is to test the VPN connection and ensure that the communication is performed as expected. The last step is not to forget to save the running configuration; otherwise, everything will be wasted.