How to configure a
site to site vpn
miércoles,
21 de julio de 2010
07:52
p.m.
When would you need this:
When you want to create a secure tunnel to transfer data between two sites
without the use of VPN concentrator or other security devices.
Special Requirements:
The routers used must support IPSec. Most of Cisco routers do. Another need is
that both sides use a static public IP address to connect to the Internet.
We
will go through the steps to be done on one side and the same steps must be
repeated on the other side too. The encryption of data will depend on a
shared-key. This way, we will not need specialized CAs or RSA methodologies.
1.
Create Internet Key Exchange (IKE) key policy. The policy used for our case is
policy number 9, because this policy requires a pre-shared key.
Router(config)#crypto
isakmp policy 9
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication
pre-share
2.
Setup the shared key that would be used in the VPN,
Router(config)#crypto
isakmp key VPNKEY address XXX.XXX.XXX.XXX
where,
VPNKEY is the shared key that you will
use for the VPN, and remember to set the same key on the other end.
XXX.XXX.XXX.XXX the static public IP address of
the other end.
3. Now
we set lifetime for the IPSec security associations,
Router(config)#crypto
ipsec security-association lifetime seconds YYYYY
where YYYYY is the associations lifetime in
seconds. It is usually used as 86400, which is one day.
4.
Configure an extended access-list to define the traffic that is allowed to be
directed through the VPN link,
Router(config)#access-list
AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK
where,
AAA is the access-list number
SSS.SSS.SSS.SSS
WIL.DCA.RDM.ASK is
the source of the data allowed to use the VPN link.
DDD.DDD.DDD.DDD
WIL.DCA.RDM.ASK is
the destination of the data that need to pass though the VPN link.
5.
Define the transformations set that will be used for this VPN connection,
Router(config)#crypto
ipsec transform-set SETNAME BBBB CCCCC
where,
SETNAME is the name of the
transformations set. You can choose any name you like.
BBBB and CCCCC is the transformation set. I
recommend the use of “esp-3des esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.
6.
After defining all the previous things, we need to create a cypto-map that
associates the access-list to the other site and the transform set.
Router(config)#crypto map
MAPNAME PRIORITY ipsec-isakmp
Router(config-crypto-map)#set peer
XXX.XXX.XXX.XXX
Router(config-crypto-map)#set
transform-set SETNAME
Router(config-crypto-map)#match
address AAA
where,
MAPNAME is a name of your choice to the
crypto-map
PRIORITY is the priority of this map over
other maps to the same destination. If this is your only crypto-map give it any
number, for example 10.
XXX.XXX.XXX.XXX the static public IP address of
the other end
SETNAME is the name of the
transformations set that we configured in step 5
AAA is the number of the access-list
that we created to define the traffic in step 4
7. The
last step is to bind the crypto-map to the interface that connects the router
to the other end.
Router(config-if)#crypto
map MAPNAME
where
MAPNAME is the name of the crypto-map that we defined in step 6.
Now,
repeat these steps on the other end, and remember to use the same key along
with the same authentication and transform set.
Note: If you want to implement multiple VPN connections to multiple sites,
you can do this by repeating the steps 2 to 7 (except step 3) for each VPN
connection. The different crypto-maps and their assignments differentiate
between the different VPN connections.
For troubleshooting
purposes, you can use the following commands,
show
crypto isakmp sa
show
crypto ipsec sa
show
crypto engine connections active
and show crypto map
No hay comentarios:
Publicar un comentario