www.amitah.eu

Site To Site VPN Tunnel Configuration

What does Site-to-Site VPN mean ?

Site-to-site VPN is a type of VPN connection that is use to connect between two separate geographically locations (LAN) .

It provides the ability to connect (marge)  geographically separate locations system networks to one network .

Site-to-site VPN typically creates a direct, unshared and secure connection between two end points. Site-to-site VPN can be intranet based or extranet based. Intranet-based site-to-site VPN is created between an organization's propriety networks,

The connection in a site-to-site VPN is generally enabled via VPN device .

so Let me introduce this lab , we are going to setup our lab as display on top and after successful configuration\communication between sites we will set-up our site to site VPN .

so we will setup our lab as simple as we can to do not destroy our time for basic Type escape sequence to abort.configuration

_______________________________________________________________________________________________________

R1
_______________________________________________________________________________________________________
config t
int s1/0
ip address 1.0.0.1 255.0.0.0
no shut
exit
int g0/0
ip address 10.0.0.1 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 1.0.0.2
_______________________________________________________________________________________________________
R2
_______________________________________________________________________________________________________
config t
int s1
ip address 2.0.0.1 255.0.0.0
no shut
exit
int s0
ip address 1.0.0.2 255.0.0.0
no shut
exit
ip route 192.168.0.0 255.255.255.0 2.0.0.2
ip route 10.0.0.0 255.0.0.0 1.0.0.1

_______________________________________________________________________________________________________
R3
_______________________________________________________________________________________________________
config t
int f0
ip address 192.168.0.1 255.255.255.0
no shut
exit
int s0
ip address 2.0.0.2 255.0.0.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 2.0.0.1

_______________________________________________________________________________________________________
as we configure our routers ,so lets configure IP address and gatway info on our PCs and see how routing working now .
_______________________________________________________________________________________________________
PC1
_______________________________________________________________________________________________________

PC1 > R2,S0 > R3,S0 > PC2

_______________________________________________________________________________________________________
PC2
_______________________________________________________________________________________________________

R3 F0 > R2 S1 > R1 s 1/0> PC1
_______________________________________________________________________________________________________
now routing working as standerd and both PCs start pinging to each other , but as we can see now traffic going from PC1 to PC2 via
PC1 > R2,S0 > R3,S0 > PC2
PC1 < R2,S0 < R3,S0 < PC2
so now all traffic going via our ISP way or in other way you can say that its routing how your ISP want , not Secured !
we wish to sent our traffic via secure way to reach our destination.
to do this we will use site to Site VPN,benefit of doing this will be our client do not need to Dial vpn client on there system to reach our destination network .

to configure site to Site VPN on Router you need to configure both side routers.
in our Lab we are thinking our R2 is our ISP router , we will have no control on it so we will not touch R2 configuration,
for sure we will keep using it, as gateway for our network.
_______________________________________________________________________________________________________
R1
_______________________________________________________________________________________________________
R1>enable
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)#crypto isakmp key firewallcx address 2.0.0.2
R1(config)#ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)#$0.0.0.0 0.255.255.255 192.168.0.0 0.255.255.255
R1(config-ext-nacl)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 2.0.0.2
R1(config-crypto-map)#set transform-set TS
R1(config-crypto-map)#match address VPN-TRAFFIC
R1(config-crypto-map)#exit
R1(config)#int s1/0
R1(config-if)#crypto map CMAP
R1(config-if)#
*Feb 20 17:13:29.755: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#
R1#show crypto session
*Feb 20 17:22:18.531: %SYS-5-CONFIG_I: Configured from console by console
R1#show crypto session
Crypto session current status
Interface: Serial1/0
Session status: UP-ACTIVE
Peer: 2.0.0.2 port 500
IKEv1 SA: local 1.0.0.1/500 remote 2.0.0.2/500 Active
IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 192.0.0.0/255.0.0.0
Active SAs: 2, origin: crypto map
_______________________________________________________________________________________________________
R3
_______________________________________________________________________________________________________
R3#config t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encr 3des
R3(config-isakmp)#hash md5
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#crypto isakmp key firewallcx address 1.0.0.1
R3(config)#ip access-list extended VPN-TRAFFIC
R3(config-ext-nacl)#$92.168.0.0 0.255.255.255 10.0.0.0 0.255.255.255
R3(config-ext-nacl)#exit
R3(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 1.0.0.1
R3(config-crypto-map)#set transform-set TS
R3(config-crypto-map)# match address VPN-TRAFFIC
R3(config-crypto-map)#exit
R3(config)#int s0
R3(config-if)#crypto map CMAP
R3(config-if)#
*Mar 1 00:30:30.251: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3#ping 10.0.0.1 source fastEthernet 0
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 48/109/184 ms
R3#show crypto session
Crypto session current status
Interface: Serial0
Session status: UP-ACTIVE
Peer: 1.0.0.1 port 500
IKE SA: local 2.0.0.2/500 remote 1.0.0.1/500 Active
IPSEC FLOW: permit ip 192.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0
Active SAs: 2, origin: crypto map
R3#
_______________________________________________________________________________________________________
PC1
_______________________________________________________________________________________________________

R1 G0/0 > R3 S0 > PC2
_______________________________________________________________________________________________________
PC2
_______________________________________________________________________________________________________

R3 F0 > R1 S1/0> PC1
_______________________________________________________________________________________________________