Configuring a Site-to-Site VPN Between Two Cisco Routers
Virtual private networks (VPN) that connects websites (VPN) allows you to maintain the security of an “always-on” connection between two physically distinct websites using an unsecure network, like internet. Internet. The connection dennisloos.net between two websites is transmitted through an encrypted channel that protects against spies and other types of attacks on your data.
This configuration requires the use of an IOS program image, which is compatible with cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.
There are a range of protocols utilized to create the VPN which includes protocols utilized in order to enable key exchange between peer networks, protocols that are used to secure the tunnel and also hashing technology which creates digests for messages.
VPN Protocols
IPsec Internet Protocol Security (IPSec) is a set of protocols used to protect IP communication. IPSec is an integration of key exchanges and also in the tunnel’s encryption. It is possible to see IPSec as a technique for the application in protection. When creating an VPN using IPSec, you are capable of choosing from a variety of security strategies to make an encrypted tunnel.
ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides an opportunity to authenticate other parties in order to secure their communication. It generally employs Internet Key Exchange (IKE) however other protocols are an option. Public keys or keys that are pre-shared can be used to authenticate other parties in exchange.
MD5: Message-Digest algorithm
Message-Digest algorithm 5. (MD5) is a commonly employed, but generally insecure cryptographic hash function which has 128 bits in hash. The cryptographic hash algorithm is the method to use an undetermined amount of information, and then return it in a fixed bit string, which is dependent on the initial chunk of data. The process of hashing is designed in a way that any change to the data may alter its hash value. The value that is hashed is referred to as”the message digest.
SHA: Secure Hash Algorithm (SHA)
SHA: Secure Hash Algorithm (SHA) is an array of cryptographic functions developed for the use of the National Security Agency (NSA). There are three SHA algorithms, which are classified differently and classified by SHA-0 and SHA-1, and two. SHA-1 is the most widely used hashing algorithm, and it includes an average key which has 161 bits.
ESP Encapsulating Security Payload (ESP
The ESP Encapsulating Security Payload (ESP) is component of the IPsec protocol suite, which provides authenticity, integrity and integrity as security for confidentiality packets. ESP is also able to allow encryption-only aswell in authentication-only configurations. However, encryption using encryption without authentication is not recommended since it’s unsecure. As opposed to the other IPsec protocol, Authentication Header (AH), ESP does not protect the IP header contained in the data packet. This is the reason why ESP is the preferred protocol to utilize in your Network Address Translation configuration. ESP operates directly over IP via IP Protocol 50.
Data Encryption Standard (DES)
DES is Data Encryption Standard (DES) is a encryption protocol with 56 bits. It’s no anymore thought to be a secure protocol because its tiny key length, which makes it susceptible to brute force attacks.
3DES
c The term 3DES DES was created to overcome the weak points and limitations of DES by making use of 3 distinct keys of 56 bits that are used for encryption the encryption process, as well as the re-encrypting process. 3DES keys have a length of 168 bits. When using 3DES it is encrypted initially with a single 56-bit key. After that, it is encrypted using a different 56-bit key. The result is then encrypted using an additional key of 56 bits.
Advanced Encryption Standard (AES)
AES refers to AES is Advanced Encryption Standard (AES) was created as a substitute for DES and 3DES. It has a range of key lengths and is believed to be about 6 times faster as 3DES.
HMAC Hashing Message Authentication code (HMAC) can be described as a form that is a message-authentication code (MAC). HMAC is calculated by using an algorithm that is specific to it, which includes an algorithm for cryptographic hashing together with the secret key.
Configuring a Site-to-Site VPN
The procedure of creating an VPN which connects a website to another one requires a number of steps:
Phase One configuration is the procedure of creating key exchange. This method makes use of ISAKMP in order to establish the algorithm for the hashing and also the method of authentication. It’s one of the two places where you have to determine who is in the other. In this instance, we’ve chosen SHA as the algorithm we will use to hash due to its greater character, and its 160 bits of key. The key “vpnkey” must be identical across both sides of the tunnel. The numbers “192.168.16.105” is the outside network interface of the router, situated at the opposite side of the tunnel.
One version from the test phase
tukwila(config)#crypto isakmp policy 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105
Phase Two setup is all about setting up an encrypted channel. In the phase Two configuration, you will establish and define the transform set that decides the encryption protocols employed to build the secure channel. In addition, you need to make a crypto-map that will determine the peer on the other side of your tunnel. It is also necessary to identify the transform-set you’ll use in addition to indicating your access-control list to be used to determine the types of traffic that can be allowed.
In this instance , we’ve chosen AES because of its superior efficiency and security. The expression “set peer 192.168.16.25” identifies the network interface external to the router on the opposite end of the tunnel. The phrase “set transform-set vpnset” tells that the router to utilize the parameters specified in the transform-set vpnset to create this tunnel. “match address 100” is the “match address 100” statement is used to connect the tunnel to the access-list 100. The access-list will be determined later.
Sample phase two configuration:
tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
Note This brand new crypto map will not be accessible until it becomes an actual peer
as well as an access list valid have been developed.
tukwila(config-crypto-map)#set peer 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match address 100
A crypto-map needs the ability to apply to the external interface (in this instance it is that is FastEthernet 4):
tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset
You must create an access control list that explicitly permit traffic from one router’s interne LAN to be transferred through the tunnel to through the router’s internal LAN (in this case , the address of the router’s internal LAN corresponds to 10.10.10.0/24 and the outside LAN of the other router’s address is 10.10.10.0/24).
(For additional information about the format of lists of access control, see my other articles on the development and managing of Cisco lists of access control for routers. )
Additionally, it’s required to establish an opening gateway (also called”the “gateway for the the last final”).
Verifying VPN Connections
2 commands can be utilized to verify VPN Connections:
Router#show crypto Ipsec SA
This command gives the settings utilized by the current active security associations (SAs).
The Router#show Crypto isakmp
This command shows the most recent IKE Security Associations.
Troubleshooting VPN Connections
After verifying your physical connectivity, it is recommended to review every aspect of your VPN connection to confirm that they mirror each other.
Use debugging tools to identify VPN issues related to connectionissues: