Configure and Verify A Site-To-Site IPsec VPN Using CLI
Configure and Verify A Site-To-Site IPsec VPN Using CLI
Configure and Verify A Site-To-Site IPsec VPN Using CLI
Topology
Addressing Table
Objectives
Verify connectivity throughout the network.
Configure R1 to support a site-to-site IPsec VPN with R3.
Background / Scenario
The network topology shows three routers. Your task is to configure R1 and R3 to support a site-to-site IPsec
VPN when traffic flows between their respective LANs. The IPsec VPN tunnel is from R1 to R3 via R2. R2
acts as a pass-through and has no knowledge of the VPN. IPsec provides secure transmission of sensitive
information over unprotected networks, such as the Internet. IPsec operates at the network layer and protects
and authenticates IP packets between participating IPsec devices (peers), such as Cisco routers.
ISAKMP Phase 1 Policy Parameters
1
Parameters R1 R3
Note: Bolded parameters are defaults. Only unbolded parameters have to be explicitly configured.
IPsec Phase 2 Policy Parameters
Parameters R1 R3
2
d. Save the running-config and reload the router to enable the security license.
e. Verify that the Security Technology package has been enabled by using the show version command.
3
b. If the Security Technology package has not been enabled, enable the package and reload R3.
4
Step 4: Create uninteresting traffic.
Ping PC-B from PC-A. Note: Issuing a ping from router R1 to PC-C or R3 to PC-A is not interesting traffic.
reload
config t
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
exit
crypto isakmp key vpnpa55 address 10.2.2.2
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
description VPN connection to R3
set peer 10.2.2.2
set transform-set VPN-SET
match address 110
exit
interface S0/0/0
crypto map VPN-MAP
5
set peer 10.1.1.2
set transform-set VPN-SET
match address 110
exit
interface S0/0/1
crypto map VPN-MAP