Configuring a Site-to-Site VPN on Cisco router

Posted: July 29, 2015 in CISCO

VPN (Virtual Private Network) provide secure method of transmitting data over public network (internet).Site-to-Site VPN provide secure tunnel between diffrent networks.

In this example we will configure VPN Site-to-Site network between R2 and R3 routers


Configure connectivity in out network

ISP configuration:

ISP(config)#router eigrp 20
ISP(config-router)#no auto-summary


R2(config)#router eigrp 20
R2(config-router)#no auto-


R3(config)#router eigrp 20
R3(config-router)#no auto-summary

For clients i used routers

client1(config)#router eigrp 20
client(config-router)#no auto-summary

client2(config)#router eigrp 20
client2(config-router)#no auto-summary

Configure ISAKMP policy on R2 and R3

Routers R2 and R3 first need to negotiate Internet Key Exchange (IKE) Phase 1 tunnel. There are two modes of IKE1,main  and aggressive. Main mode is considered more secure.IKE1 tunnel established connections between R2 nad R3 routers.This tunnel doesn’t forward packets,it protects management traffic related to the VPN between the two routers (R2 and R3 in our case).

When R2 and R3 routers negotiate IKE1 tunnel,they need to agree upon following:

Hash algorithm: message digest 5 algorithm (MD5) or Secure Hash
Encryption algorithm: Digital Encryption Standard (DES) (weak), Triple DES (3DES) or Advanced Encryption Standard (AES)
Diffie-Hellman (DH) group- modulus size (length of the key) to use for the DH key exchange. Group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536. DH is used to generate shared secret key (symmetric keys) that may be used by the two VPN peers for sym-metrical algorithms, such as AES.DH exchange itself is asymmetrical,and the resulting keys that are generated are symmetrical.
Authentication method: Used for verifying the identity of the VPN peer on the
other side of the tunnel.Pre-shared key (PSK) is used only for the authentication or RSA signatures (which leverage the public keys contained in digital certificates).
Lifetime: How long this IKE Phase 1 tunnel should be active. (default 3600 seconds)
A shorter lifetime is considered more secure.

Now we neeed to configure policy on R2 and R3,ie configure these 5 items above:

R2(config)#crypto isakmp policy 10 !10 is arbitrary
R2(config-isakmp)#authentication ?
pre-share  Pre-Shared Key
rsa-encr   Rivest-Shamir-Adleman Encryption
rsa-sig    Rivest-Shamir-Adleman Signature

R2(config-isakmp)#authentication pre-share !we'll use pre-shared key
R2(config-isakmp)#encryption ?
3des  Three key triple DES
aes   AES - Advanced Encryption Standard.
des   DES - Data Encryption Standard (56 bit keys).

R2(config-isakmp)#encryption aes
R2(config-isakmp)#hash ?
md5  Message Digest 5
sha  Secure Hash Standard
R2(config-isakmp)#hash sha
R2(config-isakmp)#group ?
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5

R2(config-isakmp)#group 5
R2(config-isakmp)#lifetime ?
    lifetime in seconds

R2(config-isakmp)#lifetime 3600

The same must be configured on R3:

R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share !authentication
R3(config-isakmp)#encryption aes 256       !encryption
R3(config-isakmp)#hash sha                 !hash algorithm
R3(config-isakmp)#group 5                  !DH group
R3(config-isakmp)#lifetime 3600            !lifetime

Show isakmp policy:

R3(config)#do sh crypto isakmp policy

Global IKE policy
Protection suite of priority 10
encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
hash algorithm:         Secure Hash Standard
authentication method:  Pre-Shared Key
Diffie-Hellman group:   #5 (1536 bit)
lifetime:               3600 seconds, no volume limit

We used pre-shared keys as authentication method and now we must set one and IP address of remote VPN endpoint:

On R2 we set R3’s s1/1 interface address (,and on R3 R2’s  s1/0 interface address (

R2(config)#crypto isakmp key mykey address
R3(config)#crypto isakmp key mykey address

Configure transformation set

Routers needs to negotiate one configuration parameter in order to form security associaton (specifies security properties that are recognized by communicating hosts).That configuration parameter is named transformation set and is used to create  IKE Phase 2 tunnel which encrypts actual data between R2 and R3.

R2(config)#crypto ipsec transform-set 10 ?
ah-md5-hmac   AH-HMAC-MD5 transform
ah-sha-hmac   AH-HMAC-SHA transform
comp-lzs      IP Compression using the LZS compression algorithm
esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes       ESP transform using AES cipher
esp-des       ESP transform using DES cipher (56 bits)
esp-md5-hmac  ESP transform using HMAC-MD5 auth
esp-null      ESP transform w/o cipher
esp-seal      ESP transform using SEAL cipher (160 bits)
esp-sha-hmac  ESP transform using HMAC-SHA auth

R2(config)#crypto ipsec transform-set 10 esp-aes 256 ?
ah-md5-hmac   AH-HMAC-MD5 transform
ah-sha-hmac   AH-HMAC-SHA transform
comp-lzs      IP Compression using the LZS compression algorithm
esp-md5-hmac  ESP transform using HMAC-MD5 auth
esp-sha-hmac  ESP transform using HMAC-SHA auth

! transform-set named 10,ESP encryption esp-aes 256,authentication esp-sha-hmac
R2(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
R3(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

Defining traffic which needs to be encrypted

We need to encrypt traffic between R2 ( and R3 (,so we need to use extendes ACL’s (extenede ACL is set close to source)

R2(config)#access-list 101 permit ip
R3(config)#access-list 101 permit ip


Creating crypto map

Crypto map associate traffic defined in ACL (acl 101) to VPN peer

Create crypto map named mymap with sequence number 10 (arbitrary),define access list,set peer and trasnform set

R2(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match address 101                  !ACL 101
R2(config-crypto-map)#set peer                  !R3's interface
R2(config-crypto-map)#set transform-set 10               !set created earlier

R3(config-crypto-map)#match address 101
R3(config-crypto-map)#set peer
R3(config-crypto-map)#set transform-set 10

Apply crypto maps to R2 and R3’s interfaces

R2#config t
R2(config)#int s1/0
R2(config-if)#crypto map mymap
*Mar  1 01:56:41.887: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3#config t
R3(config)#int s1/1
R3(config-if)#crypto map mymap
*Mar  1 01:53:11.379: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3#sh crypto ipsec transform-set
Transform set 10: { esp-256-aes esp-sha-hmac  }
will negotiate = { Tunnel,  },

R3#show crypto map
Crypto Map "mymap" 10 ipsec-isakmp
Peer =
Extended IP access list 101
access-list 101 permit ip
Current peer:
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
Interfaces using crypto map mymap:

From client1 ping client2:


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Capture traffic between client1 and f0/0 interface of R2, and between F0/0 interface of R3 and client2,as you can see,traffic is not encrypted.


Now capture traffic between R2 and R3:


Traffic is encrypted when leaves R2’s s1/0 interface (ESP),and decrypted on R3 f0/0 interface

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s