IPSEC VPN tunneling in Cisco Packet Tracer

Introduction - IPSEC VPN on ISR routers

Cisco Packet Tracer allows IPSEC VPN configuration between routers. The example below presents a basic VPN configuration over a Frame Relay between Paris and New-York using Cisco 2811 routers.

IPSEC Tunneling allows network adminisrators to use the Internet to create secure connections between networks (teleworkers, remote sites, ...). Cisco 2811 routers use the ISAKMP and IPsec tunneling standards to crete and manage tunnels. IPsec provides authentication (AH) and encryption (ESP) services to prevent unauthorized data access or modification. ISAKMP is the negotiation protocol that makes peers negociate on how to build the IPsec security association.

A major problem with IPSec sessions is that they do not support multicast or broadcast traffic. Enabling dynamic routing protocols such as OSPF or EIGRP requires multicast or brodcast support to allow hellos and updates traffic between routers.

Solution : Build another generic tunnel over IPSEC. Three options available in Cisco routers :

  • Virtual Tunnel Interface (VTI)
  • Generic Routing Encapsulation (GRE)
  • DMVPN and GET VPN

GRE over IPSEC has been working in Cisco Packet Tracer since at least version 6.0.1 . This tunnel design allows OSPF dynamic routing over the tunnel

 

Basic IPSEC VPN configuration

Download network topology

File Name: ipsec-vpn.pkt
File Size: 11 KB

 

Configuration

Paris router configuration

hostname PARIS
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp key 0 address 172.16.1.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SECUREWAN esp-aes esp-sha-hmac
!
crypto map IPSECWAN 100 ipsec-isakmp 
 set peer 172.16.1.2
 set pfs group2
 set security-association lifetime seconds 86400
 set transform-set SECUREWAN 
 match address SECURED-TRAFFIC
!
!
interface FastEthernet0/0
 ip address 10.0.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 172.16.1.1 255.255.255.252
 encapsulation frame-relay
 frame-relay interface-dlci 100
 crypto map IPSECWAN
!
ip route 10.100.1.0 255.255.255.0 172.16.1.2 
!
!
ip access-list extended SECURED-TRAFFIC
 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
!

 

New-York router configuration

hostname NEWYORK
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp key 0 address 172.16.1.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SECUREWAN esp-aes esp-sha-hmac
!
crypto map IPSECWAN 100 ipsec-isakmp 
 set peer 172.16.1.1
 set security-association lifetime seconds 86400
 set transform-set SECUREWAN 

 

OSFP dynamic routing with GRE tunnel over IPSEC

The IPSEC ACL is modified to allow GRE traffic over the tunnel and to deny any unencrypted traffic on the WAN link

ip access-list extended SECURED-TRAFFIC
 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip any any
 permit gre 10.254.1.0 0.0.0.3 10.254.1.0 0.0.0.3


GRE tunnel configuration on Paris router

interface Tunnel0
 ip address 10.254.1.1 255.255.255.252
 tunnel source Serial0/0/0
 tunnel destination 172.16.1.2
 tunnel mode gre ip


GRE tunnel configuration on NewYork router

interface Tunnel0
 ip address 10.254.1.2 255.255.255.252
 tunnel source Serial0/0/0
 tunnel destination 172.16.1.1
 tunnel mode gre ip


OSPF configuration over the tunnel

router ospf 1
 log-adjacency-changes
 network 10.0.1.0 0.0.0.255 area 0
 network 10.254.1.0 0.0.0.3 area 0

 

File Attachment:

File Name: ipsec-vpn-gre.pkt
File Size: 11 KB

Trademark notice : This web site and/or material is not affiliated with, endorsed by, or sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP, Networking Academy, Linksys are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. or certain other countries.