|
When would you need this: When you want to create a secure
tunnel to transfer data between two sites without the use of VPN concentrator
or other security devices.
Special Requirements: The routers used must support IPSec.
Most of Cisco routers do. Another need is that both sides use a static public
IP address to connect to the Internet.
We will go through the steps to be done on one side and the
same steps must be repeated on the other side too. The encryption of data will
depend on a shared-key. This way, we will not need specialized CAs or RSA
methodologies.
1. Create Internet Key Exchange (IKE) key policy. The policy
used for our case is policy number 9, because this policy requires a pre-shared
key.
Router(config)#crypto isakmp policy 9
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
2. Setup the shared key that would be used in the VPN,
Router(config)#crypto isakmp key VPNKEY address
XXX.XXX.XXX.XXX
where,
VPNKEY is the shared key that you will use for the VPN, and
remember to set the same key on the other end.
XXX.XXX.XXX.XXX the static public IP address of the other
end.
3. Now we set lifetime for the IPSec security associations,
Router(config)#crypto ipsec security-association lifetime
seconds YYYYY
where YYYYY is the associations lifetime in seconds. It is
usually used as 86400, which is one day.
4. Configure an extended access-list to define the traffic
that is allowed to be directed through the VPN link,
Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS
WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK
where,
AAA is the access-list number
SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK is the source of the data
allowed to use the VPN link.
DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK is the destination of the
data that need to pass though the VPN link.
5. Define the transformations set that will be used for this
VPN connection,
Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC
where,
SETNAME is the name of the transformations set. You can
choose any name you like.
BBBB and CCCCC is the transformation set. I recommend the
use of “esp-3des esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any
one of these two will do the job.
6. After defining all the previous things, we need to create
a cypto-map that associates the access-list to the other site and the transform
set.
Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp
Router(config-crypto-map)#set peer XXX.XXX.XXX.XXX
Router(config-crypto-map)#set transform-set SETNAME
Router(config-crypto-map)#match address AAA
where,
MAPNAME is a name of your choice to the crypto-map
PRIORITY is the priority of this map over other maps to the
same destination. If this is your only crypto-map give it any number, for example 10.
XXX.XXX.XXX.XXX the static public IP address of the other
end
SETNAME is the name of the transformations set that we
configured in step 5
AAA is the number of the access-list that we created to
define the traffic in step 4
7. The last step is to bind the crypto-map to the interface
that connects the router to the other end.
Router(config-if)#crypto map MAPNAME
where MAPNAME is the name of the crypto-map that we defined
in step 6.
Now, repeat these steps on the other end, and remember to
use the same key along with the same authentication and transform set.
Note: If you want to implement multiple VPN connections to
multiple sites, you can do this by repeating the steps 2 to 7 (except step 3)
for each VPN connection. The different crypto-maps and their assignments
differentiate between the different VPN connections.
For troubleshooting purposes, you can use the following commands,
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active
and show crypto map
|
Written by funeng on 2007-07-26 00:51:32
ezayek ya basha | Question
Written by TwitchGT on 2007-10-10 09:10:41
I'm wondering if I have to make a new crypto map for every site. The interface I want to connect the maps to only allows me to add one crypto map. So I'm assuming I can't because of this. Any clarification would be helplful.
Right now I've just been adding peers to the current crypto map and adding ip ranges to the same access list | Thnx
Written by sjubba on 2007-12-14 23:10:02
thnx a lot sir, but I have one question I am using Cisco Router model 2811 but the problem that the command Crypto is not available, any advice about that do I need any IOS upgarde ? | TwitchGT
Written by RouterGeek on 2007-12-15 13:33:04
Sorry for the late reply. Supposedly, different crypto-maps can be set for different LOGICAL interfaces. As per the single PHYSICAL interface you can use a single crypto-map.
If you are using the same physical interface to connect to multiple site, this already means that you are using logical interfaces. So, use the different crypto-maps on different logical interfaces despite you are using the same physical interface.
I hope this helps. | sjubba
Written by RouterGeek on 2007-12-15 13:34:26
Thank you for your participation.
I believe an IOS upgrade solve this problem. | Written by redhotchilidog on 2008-05-18 21:04:08
Can this be done even if there is an existing Easy VPN client created in router? | Written by manhhaivn84 on 2008-11-14 01:31:30
Thanks for sharing!
|
Only registered users can write comments.
Please login or register. Thank you for leaving a comment |
Home 
