Set up an IPSEC VPN

Asset 6

Configure an IPSEC VPN between two Cisco routers

Posted on 17 March 2013 by Beaming Support

We want to configure an IPSEC VPN from site to site

If you want to configure an IPSEC VPN from site to site, as per the below diagram, follow our guide.

IPSEC VPN

To do this, there are  3 steps that we need to configure. These are:

  1. Configuring the traffic to be encrypted
  2. Configuring phase 1 of the IPSEC VPN
  3. Configuring phase 2 of the IPSEC VPN

Traffic to be encrypted

On R1:

Access-list 166 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

On R2:

Access-list 166 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Configure IKE phase 1

This phase establishes a Security association between the two routers.

On R1:

crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2

On R2:

crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2

Configuring Phase 2

It is during this phase that the IPSEC tunnel is actually established

On R1:

crypto isakmp key A_PASSWORD address  2.2.2.2
!
crypto isakmp keepalive 300
!
!
crypto ipsec transform-set TransName esp-3des esp-md5-hmac
!
crypto map CRYPTO  10 ipsec-isakmp
  set peer 2.2.2.2
  set transform-set TransName
  match address 166
!
interface Dialer 1
  Crypto map CRYPTO

On R2:

crypto isakmp key A_PASSWORD address  1.1.1.1
!
crypto isakmp keepalive 300
!
!
crypto ipsec transform-set TransName esp-3des esp-md5-hmac
!
crypto map CRYPTO  10 ipsec-isakmp
  set peer 1.1.1.1
  set transform-set TransName
  match address 166
!
interface Dialer 1
  Crypto map CRYPTO

Finally the chances are that you will have some sort of NAT between you and the end point. We need to stop the traffic that will be encrypted being NAT’d :

Assume your NAT is configured as such:

ip nat inside source list 175 interface Dialer1 overload

Then the configuration will be as below.

On R1:

access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip any any

On R2:

access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip any any

We're networking experts

When it comes to private wide area networks and business continuity services, a “set it and leave it” approach just doesn’t cut the mustard.

Find out how Beaming can help

Avoid internet downtime

IT professionals in UK businesses dealt with 82M hours of internet outages last year.

Sign up for Beaming's monthly email updates & receive news on the latest tech to keep you online, simple shareable advice to help colleagues avoid cyber threats & how-to guides from our experienced tech team.
  • This field is for validation purposes and should be left unchanged.

Related

Email & hosting
Asset 44

Remote working: 10 essentials for the perfect home office setup

02/01/18 Support team
Read more
Internet & connectivity
Asset 6

Configure a basic PPTP VPN on a Cisco Router

17/12/12 Support team
Read more
Internet & Connectivity
ethernet cable

How do I connect to a VPN on a non-Windows device?

29/10/18 Support team
Read more
Internet & Connectivity
ethernet cable

How to use a VPN to connect to your company network (Windows)

24/10/18 Support team
Read more
Information Security
Asset 44

L2TP/IPSEC VPN is not working after Windows update

01/07/18 Support team
Read more

Get the best of Beaming

Sign up to our monthly email updates on:

  • Easy cyber security advice anyone can follow
  • Research into what businesses are doing with their tech
  • How-to guides to boost productivity and efficiency

  • This field is for validation purposes and should be left unchanged.