Configuring IPSec Site-to-Site VPN Tunnels

Configuring a IPSec Site-to-Site VPN Tunnels on a Cisco Router

I thought I would run through configuring IPSec Site-to-Site VPN Tunnels on a cisco router. I’m going to be covering at high level the basic principles needed to configure a IPSec Site-to-Site VPN. The fundemental principals can be used for the Cisco ASA Firewall or Cisco VPN concentrator. The VPN gateways in our example (the routers) are responsible for encapsulating and encrypting the outbound traffic which in a real world example this would from be from a site to a peer gateway at another site. This could be either through an MPLS network from an ISP or more commonly directly over the Internet. When the receiving gateway receives the traffic it strips away the headers, decrypt’s the content with the pre-shared key and forwards on the traffic to a host network on the inside.

In our example we are going to be using 3 networks with an IPSec VPN tunnel being established between two of the routers. I have added the extra network without the tunnel to demonstrate in wireshark the encrypted vs the non encrypted traffic. All three networks are connected to a switch which we are going to image as our either our Internet or MPLS connection.

IPSec VPN Diagram

An IPSec tunnel consists of 5 stages to establish and terminate its connection these are:

  • An ISAKMP tunnel is initiated when the VPN gateway detects ‘interesting traffic’ which is defined by an ACL.
  • IKE Phase 1 is established through negotiating the ISAKMP SA policy that is defined in the config.
  • IKE Phase 2 is established through negotiating the IPSec SA policy.
  • The IPSec tunnel is created and data can begin to be transferred Encrypted.
  • The IPSec tunnel is teared down when either the lifetime of the session expires or the IPSec SA is removed.

Below is the extra config that is used for each router other than the initial config of a standard GNS3 router, this can simple be copied into global configuration mode. The config is split into three main sections the interface configuration, EIGRP configuration and the IPSEC configuration.

I’ve broken down just one of the IPSec configuration below to explain what the various elements are, these need to match at both sites:

ipsec command breakdownBefore generating any interesting traffic if we execute ‘show crypto ipsec sa’ from RouterA we can clearly see there has been no traffic captured by the ACL.

before ipsec traffic

If we now generate some ‘interesting traffic’ such as a ping from PC1 to PC3 which will match our ACL that is specified in our crypto map, then re-issue ‘show crypto ipsec sa’ we will see from the stats that packets have been encrypted. Further to this we will see the inbound and outbound session will be ‘ACTIVE’.

After ipsec traffic

To take this one stage further we will demonstrate the difference in the Encrypted IPSec traffic and ordinary traffic using wireshark. The capture will be taken from the link between RouterA and the core network. We will ping out from PC1 to PC3 (the encrypted traffic caught by our ACL) and PC2 to PC5 (the non-encrypted traffic that doesn’t match our ACL) simultaneously. This is what we see:

IPSec traffic in wireshark.

As we can see from the wireshark capture our encrypted traffic is shown in the Encapsulated Security Payload and our non encrypted traffic in the clear (the ping request and reply).