dennisloos.net

Configuring a Site-to-Site VPN Between Two Cisco Routers

Configuring a Site-to-Site VPN Between Two Cisco Routers

Virtual private networks (VPN) that connects websites (VPN) allows you to maintain the security of an “always-on” connection between two physically distinct websites using an unsecure network, like internet. Internet. The connection dennisloos.net  between two websites is transmitted through an encrypted channel that protects against spies and other types of attacks on your data.

This configuration requires the use of an IOS program image, which is compatible with cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.

There are a range of protocols utilized to create the VPN which includes protocols utilized in order to enable key exchange between peer networks, protocols that are used to secure the tunnel and also hashing technology which creates digests for messages.

VPN Protocols

IPsec Internet Protocol Security (IPSec) is a set of protocols used to protect IP communication. IPSec is an integration of key exchanges and also in the tunnel’s encryption. It is possible to see IPSec as a technique for the application in protection. When creating an VPN using IPSec, you are capable of choosing from a variety of security strategies to make an encrypted tunnel.

ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides an opportunity to authenticate other parties in order to secure their communication. It generally employs Internet Key Exchange (IKE) however other protocols are an option. Public keys or keys that are pre-shared can be used to authenticate other parties in exchange.

MD5: Message-Digest algorithm

Message-Digest algorithm 5. (MD5) is a commonly employed, but generally insecure cryptographic hash function which has 128 bits in hash. The cryptographic hash algorithm is the method to use an undetermined amount of information, and then return it in a fixed bit string, which is dependent on the initial chunk of data. The process of hashing is designed in a way that any change to the data may alter its hash value. The value that is hashed is referred to as”the message digest.

SHA: Secure Hash Algorithm (SHA)

SHA: Secure Hash Algorithm (SHA) is an array of cryptographic functions developed for the use of the National Security Agency (NSA). There are three SHA algorithms, which are classified differently and classified by SHA-0 and SHA-1, and two. SHA-1 is the most widely used hashing algorithm, and it includes an average key which has 161 bits.

ESP Encapsulating Security Payload (ESP

The ESP Encapsulating Security Payload (ESP) is component of the IPsec protocol suite, which provides authenticity, integrity and integrity as security for confidentiality packets. ESP is also able to allow encryption-only aswell in authentication-only configurations. However, encryption using encryption without authentication is not recommended since it’s unsecure. As opposed to the other IPsec protocol, Authentication Header (AH), ESP does not protect the IP header contained in the data packet. This is the reason why ESP is the preferred protocol to utilize in your Network Address Translation configuration. ESP operates directly over IP via IP Protocol 50.

Data Encryption Standard (DES)

DES is Data Encryption Standard (DES) is a encryption protocol with 56 bits. It’s no anymore thought to be a secure protocol because its tiny key length, which makes it susceptible to brute force attacks.

3DES

c The term 3DES DES was created to overcome the weak points and limitations of DES by making use of 3 distinct keys of 56 bits that are used for encryption the encryption process, as well as the re-encrypting process. 3DES keys have a length of 168 bits. When using 3DES it is encrypted initially with a single 56-bit key. After that, it is encrypted using a different 56-bit key. The result is then encrypted using an additional key of 56 bits.

Advanced Encryption Standard (AES)

AES refers to AES is Advanced Encryption Standard (AES) was created as a substitute for DES and 3DES. It has a range of key lengths and is believed to be about 6 times faster as 3DES.

HMAC Hashing Message Authentication code (HMAC) can be described as a form that is a message-authentication code (MAC). HMAC is calculated by using an algorithm that is specific to it, which includes an algorithm for cryptographic hashing together with the secret key.

Configuring a Site-to-Site VPN

The procedure of creating an VPN which connects a website to another one requires a number of steps:

Phase One configuration is the procedure of creating key exchange. This method makes use of ISAKMP in order to establish the algorithm for the hashing and also the method of authentication. It’s one of the two places where you have to determine who is in the other. In this instance, we’ve chosen SHA as the algorithm we will use to hash due to its greater character, and its 160 bits of key. The key “vpnkey” must be identical across both sides of the tunnel. The numbers “192.168.16.105” is the outside network interface of the router, situated at the opposite side of the tunnel.

One version from the test phase

tukwila(config)#crypto isakmp policy 10

tukwila(config-isakmp)#hash sha

tukwila(config-isakmp)#authentication pre-share

tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105

Phase Two setup is all about setting up an encrypted channel. In the phase Two configuration, you will establish and define the transform set that decides the encryption protocols employed to build the secure channel. In addition, you need to make a crypto-map that will determine the peer on the other side of your tunnel. It is also necessary to identify the transform-set you’ll use in addition to indicating your access-control list to be used to determine the types of traffic that can be allowed.

In this instance , we’ve chosen AES because of its superior efficiency and security. The expression “set peer 192.168.16.25” identifies the network interface external to the router on the opposite end of the tunnel. The phrase “set transform-set vpnset” tells that the router to utilize the parameters specified in the transform-set vpnset to create this tunnel. “match address 100” is the “match address 100” statement is used to connect the tunnel to the access-list 100. The access-list will be determined later.

Sample phase two configuration:

tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

tukwila(cfg-crypto-trans)#exit

tukwila(config)#crypto map vpnset 10 ipsec-isakmp

Note This brand new crypto map will not be accessible until it becomes an actual peer

as well as an access list valid have been developed.

tukwila(config-crypto-map)#set peer 192.168.16.105

tukwila(config-crypto-map)#set transform-set vpnset

tukwila(config-crypto-map)#match address 100

A crypto-map needs the ability to apply to the external interface (in this instance it is that is FastEthernet 4):

tukwila(config)#int f4

tukwila(config-if)#crypto map vpnset

You must create an access control list that explicitly permit traffic from one router’s interne LAN to be transferred through the tunnel to through the router’s internal LAN (in this case , the address of the router’s internal LAN corresponds to 10.10.10.0/24 and the outside LAN of the other router’s address is 10.10.10.0/24).

(For additional information about the format of lists of access control, see my other articles on the development and managing of Cisco lists of access control for routers. )

Additionally, it’s required to establish an opening gateway (also called”the “gateway for the the last final”).

Verifying VPN Connections

2 commands can be utilized to verify VPN Connections:

Router#show crypto Ipsec SA

This command gives the settings utilized by the current active security associations (SAs).

The Router#show Crypto isakmp

This command shows the most recent IKE Security Associations.

Troubleshooting VPN Connections

After verifying your physical connectivity, it is recommended to review every aspect of your VPN connection to confirm that they mirror each other.

Use debugging tools to identify VPN issues related to connectionissues:

 

About Stride Post

Check Also

Staying Ahead of the Competition with Data-Driven Marketing

Introduction In today’s fast-paced business landscape, staying ahead of the competition is crucial for any …

Leave a Reply

Your email address will not be published. Required fields are marked *