The process of implementing IPSec VPN based on routers

Many people ask me how to implement IPSec VPN technology, and I've done a case to show you how to configure a router-based IPSec VPN.

Due to work needs, the company's Nanjing office and the Shanghai office to establish a VPN connection. Nanjing Office Network settings: Intranet IP 10.1.1.0/24, extranet IP 202.102.1.5/24, Shanghai office network settings: Intranet IP 10.1.2.0/24, external network IP 202.102.1.6/24.

The following configuration steps are performed on both sides of the router:

I. Configuring the encryption algorithm in IKE

Ii. Configuring the IKE key method

Iii. Defining a transformation set

Iv. Establishment of encryption diagrams

V. Setting the tunnel port

VI. Configuration of Intranet port

Seven, configure the external network port

Viii. Establishing access lists

The Nanjing router is configured as follows:

!
Service Timestamps Debug Uptime
Service Timestamps Log uptime
No service password-encryption
!
hostname Nanjing
!
Enable Cisco

I. Configuring the encryption algorithm in IKE

Crypto ISAKMP policy 1
Note: Generate Iskamp policy number 1. Policy 1 for Strategy 1, if you want to get a few more VPN, you can write policy 2, Policy3 ...

Encryption des
Note: Choose to use DES encryption can also be used 3DES to specify three times times des encryption

Hash sha
Note: Specifies the hash algorithm to use, or MD5 (two-port consistent)

Authentication Pre-share
Remarks: Tells the router to use a preshared password.

Group 1
NOTE: Specified as Diffie-hellman group. Unless you buy a high-end router or have less VPN traffic, it is best to use the group 1 length key, and the group command has two parameter values: 1 and 2. A parameter value of 1 indicates that the key uses a 768-bit key, and a parameter value of 2 indicates that the key uses a 1024-bit key, which obviously has a high security, but consumes more CPU time.

Lifetime 14400
Remarks: Adjusts the cycle for generating a new SA. This value is in seconds, and the default value is 86400, which is the day. It is worth noting that routers at both ends have to set the same SA cycle, or the VPN will arrive in a shorter SA cycle after the normal initialization. is not set to the default value.

More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/Network/lyjs/

Ii. Configuring the IKE key method

Crypto ISAKMP identity Address
Remarks: Specifies the use of the ISAKMP identity when communicating with a remote router

Crypto ISAKMP key 654321 address 202.102.1.6
Remarks: Returns to global setting mode determines which preshared key to use and points to the VPN router IP address, the destination router IP address. Correspondingly, the router configuration on the other side is similar to the above command, except that the IP address is changed to 202.102.1.5.

Crypto ISAKMP key 654321 address 192.168.1.2
Note: Use key 654321 for remote router tunnel port 192.168.1.2

Iii. Defining a transformation set

Crypto IPSec Transform-set test1 Ah-md5-hmac esp-des Esp-md5-hmac
Note: The only different parameter here at both ends of the router is test1, which is the name defined for this combination of options. At both ends of the router, the name can be the same or different. The above command defines the IPSec parameters that are used. To enhance security, start the authentication header. Because both networks use the private address space, the data needs to be transmitted through the tunnel, so the security encapsulation protocol is also used. Finally, we also define des as a secret cryptographic key encryption algorithm. You can define one or more transformation sets

Iv. Establishment of encryption diagrams

Crypto map Cmap1 local-address serial 0
Remarks: Defines the encryption diagram Cmap1 and specifies S0 as the local address

Crypto map Cmap1 1 IPSEC-ISAKMP
Note: Use ordinal 1 to set up an encryption diagram

Set Peer 202.102.1.6
Set Peer 192.168.1.2
Note: This is the legal IP address that identifies the other router. A similar command should be entered on the remote router, except that the other router address should be 202.102.1.5.

Set Transform-set test1
Remarks: Identifies the set of transformations used for this connection

Match Address 111
Remarks: Identifies the access list used for this connection.

Process-max-time 200

V. Setting the tunnel port

Interface Tunnel0
IP address 192.168.1.1 255.255.255.0
Tunnel Source 202.102.1.5
Tunnel Destination 202.102.1.6
Crypto map CMap

Vi. Setting up intranet port

Interface Ethernet0
IP address 10.1.1.1 255.255.255.0

Vii. setting up the external network port

Interface Serial0
IP address 202.102.1.5 255.255.255.0
No IP mroute-cache
No Fair-queue
Crypto map CMap
Note: Apply the password diagram that you just defined to the external interface of the router.

IP classless

Viii. Establishing access lists

Access-list Permit IP host 202.102.1.5 host 202.102.1.6
Access-list Permit IP host 202.102.1.6 host 202.102.1.5
Access-list Permit IP 10.1.1.0 0.0.0.255 202.102.1.0 0.0.0.255
Access-list Permit IP 10.1.2.0 0.0.0.255 202.102.1.0 0.0.0.255
Access-list Permit IP 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Access-list Permit IP 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Note: The access list number used here cannot be the same as any filtered access list, and you should use a different access list number to identify the VPN rule.

!
Line con 0
Line aux 0
Line vty 0 4
==============================
Password Cisco
Login
!
End
!

Shanghai router configuration is as follows:

!
Service Timestamps Debug Uptime
Service Timestamps Log uptime
No service password-encryption
!
Hostname Shanghai
!
Enable Cisco
!
!
!------The following configuration encryption--------
Crypto ISAKMP policy 1
Generate Iskamp Policy Number 1
Des encryption encryption des option can also be used to specify three times des encryption with 3DES
Hash sha Specifies the hash algorithm to use, or it can be MD5 (two terminals consistent)
Authentication Pre-share
Group 1 is specified as Diffie-hellman, 1 for 768, and 2 for 1024 bits
Lifetime 14400 Specifies the validity period of the security association, not set to the default value
------The following configuration key method-----
Crypto ISAKMP identity address specifies the use of the ISAKMP identity when communicating with a remote router
Crypto ISAKMP key 654321 address 202.102.1.5 use key for remote router port 202.102.1.6 654321
Crypto ISAKMP key 654321 address 202.102.1.6 use key for remote router port 202.102.1.6 654321
Crypto ISAKMP key 654321 address 192.168.1.1 to remote router tunnel port 192.168.1.2 use key 654321
!
Define a transformation set------the following-----
Crypto IPSec Transform-set Tset1 Ah-md5-hmac esp-des Esp-md5-hmac can define one or more sets
!
!
-------the following to establish an encryption diagram------
Crypto map Cmap1 local-address serial 0 defines the encryption diagram Cmap1 and specifies S0 as the local address
Crypto map Cmap1 1 IPSEC-ISAKMP set up an encryption diagram with ordinal 1
Set peer 202.102.1.5 set destination address
Set Peer 202.102.1.6
Set Peer 192.168.1.1
Set Transform-set test1 specified transformation set
Match Address 111 Specifies the addresses in the encrypted access list 111
!
!
Process-max-time 200
!
Set the tunnel port-------the following------
Interface Tunnel0
IP address 192.168.1.2 255.255.255.0
Tunnel Source 202.102.1.6
Tunnel Destination 202.102.1.5
Crypto map CMap
!
-------The following set intranet port------
Interface Ethernet0
IP address 10.1.2.1 255.255.255.0
!
-------the following to set the external network port------
Interface Serial0
IP address 202.102.1.6 255.255.255.0
No IP mroute-cache
No Fair-queue
Crypto map CMap
!
IP classless
!
-------The following build access list------
Access-list Permit IP host 202.102.1.5 host 202.102.1.6
Access-list Permit IP host 202.102.1.6 host 202.102.1.5
Access-list Permit IP 10.1.1.0 0.0.0.255 202.102.1.0 0.0.0.255
Access-list Permit IP 10.1.2.0 0.0.0.255 202.102.1.0 0.0.0.255
Access-list Permit IP 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Access-list Permit IP 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
Line con 0
Line aux 0
Line vty 0 4
==============================
Password Cisco
Login
!
End
!

The rest of the time is to test the VPN connection and ensure that the communication is planned as expected.

The last step is not to forget to save the run configuration, otherwise everything will be in vain.

This article from "Mu Xiao Seven blog" blog, please be sure to keep this source http://3088522.blog.51cto.com/3078522/703589