Introduction - IPSEC VPN on ISR routers
Cisco Packet Tracer allows IPSEC VPN configuration between routers. The example below presents a basic VPN configuration over a Frame Relay between Paris and New-York using Cisco 2811 routers.
IPSEC Tunneling allows network adminisrators to use the Internet to create secure connections between networks (teleworkers, remote sites, ...). Cisco 2811 routers use the ISAKMP and IPsec tunneling standards to crete and manage tunnels. IPsec provides authentication (AH) and encryption (ESP) services to prevent unauthorized data access or modification. ISAKMP is the negotiation protocol that makes peers negociate on how to build the IPsec security association.
A major problem with IPSec sessions is that they do not support multicast or broadcast traffic. Enabling dynamic routing protocols such as OSPF or EIGRP requires multicast or brodcast support to allow hellos and updates traffic between routers.
Solution : Build another generic tunnel over IPSEC. Three options available in Cisco routers :
- Virtual Tunnel Interface (VTI)
- Generic Routing Encapsulation (GRE)
- DMVPN and GET VPN
GRE over IPSEC has been working in Cisco Packet Tracer since at least version 6.0.1 . This tunnel design allows OSPF dynamic routing over the tunnel
Basic IPSEC VPN configuration
Download network topology
File Name: ipsec-vpn.pkt
File Size: 11 KB
Configuration
Paris router configuration
hostname PARIS ! crypto isakmp policy 1 encr aes authentication pre-share group 2 ! crypto isakmp key 0 address 172.16.1.2 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set SECUREWAN esp-aes esp-sha-hmac ! crypto map IPSECWAN 100 ipsec-isakmp set peer 172.16.1.2 set pfs group2 set security-association lifetime seconds 86400 set transform-set SECUREWAN match address SECURED-TRAFFIC ! ! interface FastEthernet0/0 ip address 10.0.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0/0 ip address 172.16.1.1 255.255.255.252 encapsulation frame-relay frame-relay interface-dlci 100 crypto map IPSECWAN ! ip route 10.100.1.0 255.255.255.0 172.16.1.2 ! ! ip access-list extended SECURED-TRAFFIC permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 !
New-York router configuration
hostname NEWYORK ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 ! crypto isakmp key 0 address 172.16.1.1 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set SECUREWAN esp-aes esp-sha-hmac ! crypto map IPSECWAN 100 ipsec-isakmp set peer 172.16.1.1 set security-association lifetime seconds 86400 set transform-set SECUREWAN
OSFP dynamic routing with GRE tunnel over IPSEC
The IPSEC ACL is modified to allow GRE traffic over the tunnel and to deny any unencrypted traffic on the WAN link
ip access-list extended SECURED-TRAFFIC
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip any any
permit gre 10.254.1.0 0.0.0.3 10.254.1.0 0.0.0.3
GRE tunnel configuration on Paris router
interface Tunnel0
ip address 10.254.1.1 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 172.16.1.2
tunnel mode gre ip
GRE tunnel configuration on NewYork router
interface Tunnel0
ip address 10.254.1.2 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 172.16.1.1
tunnel mode gre ip
OSPF configuration over the tunnel
router ospf 1
log-adjacency-changes
network 10.0.1.0 0.0.0.255 area 0
network 10.254.1.0 0.0.0.3 area 0