Site-to-Site VPN – Legacy IPSec Site-to-Site VPN Tunnel configuration demo, some verification, very straight forward!

site2siteTop

This is referred to as “Legacy IPSec Site to Site VPN” which is kind of surprising to me that its already labeled legacy (outdated), however I’ll get through a very light weight configuration specifically to encrypt communication between 1.1.1.1/32 and 4.4.4.4/32.

All other traffic will be passed normally, those two specific src / dst IP’s will trigger the “interesting traffic” that kicks off the Phase 1 negotiation of IPSec between the two peers, building our IPSec site-to-site VPN.

A few of the benefits of Legacy IPSec Site-to-Site VPN Tunnel configurations are:

  1. Authentication (Phase 1)
  2. Confidentiality / Encryption (Phase 2)
  3. Integrity check on traffic (so it cannot be manipulated by a man in the middle)
  4. Anti-Replay (again to prevent man in the middle traffic on the tunnel)

As discussed in the DMVPN IPSec Profile lab, the Phase 1 and Phase 2 components are the same here, where Phase 1 will do the Authentication and Phase 2 will work out Encryption to be used to Encapsulate / Decapsulate VPN traffic.

Configuration of the IPSec VPN Tunnel in Phases

Phase 1 – Crypto ISAKMP Policy / PSK

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#cry isa policy ?
<1-10000> Priority of protection suite

R2(config)#cry isa policy 1
R2(config-isakmp)#auth pre-share
R2(config-isakmp)#exit
R2(config)#cry isa key LoopedBack!!! address 10.2.2.3
R2(config)#

As shown we could make as many crypto isa policies as we wanted, and the # of them is their priority to try to Authenticate with their peer, however the Peers will continue to exhaust all Policies configured to find a match and Authenticate.

Authentication method is PSK, PSK = LoopedBack!!! and the IP Address configured will be the remote peer WAN IP Address (whereas with DMVPN it was 0.0.0.0).

Configuring Crypto ACL for “Interesting Traffic” (Also Phase 1)

R2(config)#access-list 100 permit ip host 1.1.1.1 host 4.4.4.4
R2(config)#

The Crypto ACL is also considered part of “Phase 1” as this is what creates “interesting traffic” that initiates Authentication / Phase 1 building between the VPN Peers.

These would normally be named by site, contain multiple subnets for Data / Voice / Etc, but this is an absolute bare minimum config just to demonstrate the configuration.

Phase 2 – Crypto Transform-Set / Crypto Map

R2(config)#cry ipsec transform-set TRANSET esp-sha-hmac esp-aes
R2(cfg-crypto-trans)#exit
R2(config)#

This is the Encryption that must be used on each side for the VPN Peers to talk.

R2(config)#cry map VPNMAP 1 ipsec-isakmp ?
dynamic Enable dynamic crypto map support
profile Enable crypto map as a crypto-profile
<cr>

R2(config)#cry map VPNMAP 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set transform-set TRANSET
R2(config-crypto-map)#set peer 10.2.2.3
R2(config-crypto-map)#match address 100

This configures the crypto map #, ipsec-isakmp, add transform-set, set peer IP, match add Crypto ACL, and that is all there is to this piece to conclude Phase 2.

Then we will configure the Crypto Map on the interface facing the network:

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int fa1/0
R2(config-if)#crypto map VPNMAP
R2(config-if)#
*Dec 6 22:12:34.303: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#

***Note – The crypto maps must be assigned facing the VPN Peer Interface!

So there is no confusion about where that is placed, both crypto maps for R2 and R3 are on their common Fa1/0 link, where the IPSec VPN Tunnel will form.

This same configuration can be copy / pasted to the other side, which is exactly what I will do here, with a quick swap of some IP’s to “mirror” the other sides configuration.

On R3 the following configuration is applied:


!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key LoopedBack!!! address 10.2.2.2
!
!
crypto ipsec transform-set TRANSET esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map VPNMAP 1 ipsec-isakmp
set peer 10.2.2.2
set transform-set TRANSET
match address 100
!
!interface FastEthernet1/0
ip address 10.3.3.3 255.255.255.0
duplex full
crypto map VPNMAP
!
!

access-list 100 permit ip host 4.4.4.4 host 1.1.1.1
!


 

Time to send some “Interesting Traffic” across the VPN Tunnel

Only the exact traffic from the Crypto ACL will trigger “interesting traffic” to bring the VPN Tunnel up, and you will generally see the first ping timeout while the tunnel forms:

R1#ping 4.4.4.4 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/75/104 ms
R1#

Given it didn’t go straight through, I’m about 110% positive we have a VPN Tunnel, so lets go check on R2 for Phase 1 and Phase 2!

Phase 1

R2#sh cry isa sa
IPv4          Crypto        ISAKMP SA
   dst             src               state conn-id status
10.2.2.3 10.2.2.2 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R2#

Phase 1 is successfully up, onto checking Phase 2

R2#sh cry ipsec sa

interface: FastEthernet1/0
Crypto map tag: VPNMAP, local addr 10.2.2.2

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)
current_peer 10.2.2.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Local ident IP, Remote IP, current peer / port 500 (IPSec), 4 encaps and 4 decaps looks good to me – I think we have a working micro VPN between R1 and R4.

I will wrap this lab up here for Legacy IPSec Site to Site VPN Tunnels!

In real world networks there are some further considerations like perhaps stronger ciphers, you may need to configure a NAT-Traversal or static “no-nat” on an ASA, as this same template will work the same as it does on a Router.

Next up I will check out the not-so-Legacy VTI Site-to-Site VPN! See you there!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s