• How to Configure Site-to-Site VPN in Cisco Routers

      29 comments

    When would you need this: When you want to create a secure tunnel to transfer data between two sites without the use of VPN concentrator or other security devices.

    Special Requirements: The routers used must support IPSec. Most of Cisco routers do. Another need is that both sides use a static public IP address to connect to the Internet.

    We will go through the steps to be done on one side and the same steps must be repeated on the other side too. The encryption of data will depend on a shared-key. This way, we will not need specialized CAs or RSA methodologies. If you have a hub-and-spoke topology, refer to the note in the bottom.

    1. Create Internet Key Exchange (IKE) key policy. The policy used for our case is policy number 9, because this policy requires a pre-shared key.

    Router(config)#crypto isakmp policy 9

    Router(config-isakmp)#hash md5

    Router(config-isakmp)#authentication pre-share

    2. Setup the shared key that would be used in the VPN,

    Router(config)#crypto isakmp key VPNKEY address XXX.XXX.XXX.XXX

    where,

    VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the other end.

    XXX.XXX.XXX.XXX the static public IP address of the other end.

    3. Now we set lifetime for the IPSec security associations,

    Router(config)#crypto ipsec security-association lifetime seconds YYYYY

    where YYYYY is the associations lifetime in seconds. It is usually used as 86400, which is one day.

    4. Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,

    Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK

    where,

    AAA is the access-list number 

    SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK is the source of the data allowed to use the VPN link.

    DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK is the destination of the data that need to pass though the VPN link.

    5. Define the transformations set that will be used for this VPN connection,

    Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC

    where,

    SETNAME is the name of the transformations set. You can choose any name you like.

    BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.


    6. After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.

    Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp

    Router(config-crypto-map)#set peer XXX.XXX.XXX.XXX

    Router(config-crypto-map)#set transform-set SETNAME

    Router(config-crypto-map)#match address AAA

    where,

    MAPNAME is a name of your choice to the crypto-map

    PRIORITY is the priority of this map over other maps to the same destination. If this is your only crypto-map give it any number, for example 10.

    XXX.XXX.XXX.XXX the static public IP address of the other end

    SETNAME is the name of the transformations set that we configured in step 5

    AAA is the number of the access-list that we created to define the traffic in step 4

    7. The last step is to bind the crypto-map to the interface that connects the router to the other end.

    Router(config-if)#crypto map MAPNAME

    where MAPNAME is the name of the crypto-map that we defined in step 6.

    Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.

    Note: If you want to implement multiple VPN connections to multiple sites (i.e. Hub-and-Spoke topology), you can do this by repeating the steps 2 to 7 (except step 3) for each VPN connection. The different crypto-maps and their assignments differentiate between the different VPN connections. Use the same map name for all the connections to the same interface, and use different priority for each connection.

    For troubleshooting purposes, you can use the following commands,

    show crypto isakmp sa

    show crypto ipsec sa

    show crypto engine connections active

    and show crypto map 

     

    Read more security tips in the Router Geek Book: Guide to Cisco Routers Configuration

     

    • Thank for this excellent blog entry. Well written and to the point.
      You are assuming both endpoint have static addresses. What if one endpoint use dynamic addresses?

    • I haven’t got such a situation before. I’ll look into it and get back to you.

    • And what about one CISCO router in HQ and few others in branch offices?
      In my case I’v got one VPN site-to-site already, but want to make second one to new office?
      It is possible, but how to do it?

      • You could try DMVPN to remote offices, would give connectivity to your central office and also allow dynamic tunnels between branch offices saving bandwidth at the central site..

    • Sorry, miss the Note :)
      Another crypto map

    • What is the meaning of WIL.DCA.RDM.ASK?

    • WIL.DCA.RDM.ASK = Wild Card Mask Ok thanks…

      Sorry

    • Please can you show the configuration for ASA.

      Thanks

    • Hello,

      Well done ofr above writen. Could you check with Hub and Spokes VPN IPSec with 3 Cisco 1841 routers??
      I have to ask you to add voice config in other to allow it at defined hours of day.

      THANK A LOT FOR N !!!!!!

      Sam

    • Just curious, I’m trying to implement a hub on a VLAN. When I enter a second crypto map on the interface, the first entry disappears. Is there something I’m missing or is the hub config completely different?

      • Actually, it is not completely different. I did not clarify in the last note at the end of the article. If you intend to do a hub-and-spoke topology, at the hub end, use the same map name for all connections, just give the different connections different priorities. All the rest remains separate. I mean, each link can have a different password.
        I will re-write the note to explain that.

    • Thanks again! I did come across the information.

      If I can pick your brain some more: I have the tunnel up, and on the ASA side, traffic is being passed, but I’m not sending traffic from the 6509.

      There’s no additional route statements that need to be made are there? The access list should encompass that, right?

      Thanks again!

    • I have a site to site vpn currently set up where one end is dynamic and the other end is static. I want the internet traffic to also be tunneled across to the hub side as the internet will be access past a firewall from within. I am curious how this can be done? I have a default route on the spoke side that points out to the the ISP therefore right now with my access list the vpn works great however the internet acccess is using the default route vs going across the tunnel. Is there somehow this can be done? Looking for suggestions.

      • Donna,
        If you need all the traffic to go towards the hub (as I have understood form your question) you will need to modify the access-list in step 4, such that you replace the DDD.DDD.DDD.DDD address (which is the hub’s destination network now) with “any”. This way, all traffic originating from the source network that you have identified in the access-list will go through the tunnel.
        I hope this solves it.

    • I’m looking to replace our Point to Point T1’s with a simple business DSL line in our satellite office. They currently have Cisco 1841, which has the ability to VPN. So I’d like to establish a site to site VPN between that device and my Sonicwall. Then hopefully take down the T1 and save a lot of money in the process! Is this easy to do? I’m not too familiar with the VPN process. or if the Sonicwall can be “friends” with the cisco. Thanks in advance :) Great write up

    • I’ve got a hub and spoke situation, where 2851 cisco router is supposed to be installed at the HQ and 1841 cisco routers will be installed in 9 branches doted around the country. Will this config work or i need something special?

      please help.

      Regards

    • Thank you Mr. Alani

      I would like to implement VPN site to site connection in my company. And I am planning to use 1941 router for HO and 881 for 13 branch Office. all branch has almost 5 or 6 users only.. are these routers enough???

      What encryption method..
      i didnt see any command about that..

      #encryption aes or sha or md5
      #group 1or 2 or 5

      • Do a "show flash" in the routers and check the names of the IOS files, If the IOS file name includes "advsecurity", "spservices","entbase", "advipservices","entservices", or "adventerprise" then they support all the instructions needed to run this procedure.

    • How to test if successful?

      • You an ping from the border router to the other end. If you need to check if the source IP address of the ping, issue “debug ip icmp” on one end, and do ping from the other end to this end, to see if the IP addresses are properly operating.

    • Does anyone here have any idea how to configure IPSec VPN from site to
      > multiple site on Cisco Router? (Like Mesh: 1. SiteA connect to siteB
      > and SiteC; 2. SiteB connect to SiteA and SiteC; 3. SiteC connect to
      > Site A and SiteB )

    • Need to insert someone static route pointing to my default-gateway link? Thanks!

    • sir i did all these config on packet tracer and live also but both network are not ping eash other

    • Thnx man. I like the way you explained. It really helps. Cheers! :)

    • Excellent article, the sort of template with variables document that are sorely missing on Cisco’s website. Thanks and well done

    • Excellent work guys… So simple and to the point… Thank you….

    • I am trying to set VPN on C2911 for Cisco Jabber, but on the other end isn’t any kind of router that can be modified. It is just plane simple plug-and-play gateway with dynamic address that leads you to internet.
      So i am asking is it possible to set this kind of task that i want, and what modifications would be?
      Traffic needs to go from my gateway to C2911.

      Thank you.

    Write a comment