CCNA DAY 61: Configure Site-to-Site IPsec VPN Using Cisco Packet Tracer | How to configure IPsec VPN

3 min read 4 hours ago
Published on Oct 30, 2024 This response is partially generated with the help of AI. It may contain inaccuracies.

Table of Contents

Introduction

In this tutorial, we will guide you through the process of configuring a Site-to-Site IPsec VPN using Cisco Packet Tracer. A Site-to-Site VPN allows two networks to securely connect over the internet, enabling seamless communication. This configuration is essential for businesses needing secure inter-office connectivity.

Step 1: Set Up the Network Topology

  • Open Cisco Packet Tracer.
  • Create a new workspace and drag the following devices into the workspace:
    • Two Cisco routers (e.g., Router0 and Router1).
    • Two PCs (e.g., PC0 and PC1) to simulate users on each network.
  • Connect the devices:
    • Use the Serial connections to connect Router0 to Router1.
    • Connect each PC to its respective router using FastEthernet.

Step 2: Configure Basic Router Settings

  • Access the CLI of Router0 and Router1.
  • Configure the hostname for each router:
    Router0> enable
    Router0# configure terminal
    Router0(config)# hostname Router0
    
  • Assign IP addresses to interfaces:
    • Router0:
      Router0(config)# interface serial0/0/0
      Router0(config-if)# ip address 192.168.1.1 255.255.255.0
      Router0(config-if)# no shutdown
      Router0(config)# interface fastethernet0/0
      Router0(config-if)# ip address 10.0.0.1 255.255.255.0
      Router0(config-if)# no shutdown
      
    • Router1:
      Router1> enable
      Router1# configure terminal
      Router1(config)# hostname Router1
      Router1(config)# interface serial0/0/0
      Router1(config-if)# ip address 192.168.1.2 255.255.255.0
      Router1(config-if)# no shutdown
      Router1(config)# interface fastethernet0/0
      Router1(config-if)# ip address 10.0.1.1 255.255.255.0
      Router1(config-if)# no shutdown
      

Step 3: Configure IPsec VPN Parameters

  • On Router0, configure the IPsec settings:

    Router0(config)# crypto isakmp policy 10
    Router0(config-isakmp)# encryption aes
    Router0(config-isakmp)# hash sha
    Router0(config-isakmp)# authentication pre-share
    Router0(config-isakmp)# group 2
    Router0(config-isakmp)# exit
    Router0(config)# crypto isakmp key YOUR_SHARED_KEY address 192.168.1.2
    Router0(config)# crypto ipsec transform-set MYTRANSFORMSET esp-aes esp-sha-hmac
    Router0(config)# crypto map MYCRYPTOMAP 10 ipsec-isakmp
    Router0(config-crypto-map)# set peer 192.168.1.2
    Router0(config-crypto-map)# set transform-set MYTRANSFORMSET
    Router0(config-crypto-map)# match address 100
    Router0(config-crypto-map)# exit
    Router0(config)# interface serial0/0/0
    Router0(config-if)# crypto map MYCRYPTOMAP
    
  • On Router1, repeat the IPsec configuration but change the peer address to Router0:

    Router1(config)# crypto isakmp policy 10
    Router1(config-isakmp)# encryption aes
    Router1(config-isakmp)# hash sha
    Router1(config-isakmp)# authentication pre-share
    Router1(config-isakmp)# group 2
    Router1(config-isakmp)# exit
    Router1(config)# crypto isakmp key YOUR_SHARED_KEY address 192.168.1.1
    Router1(config)# crypto ipsec transform-set MYTRANSFORMSET esp-aes esp-sha-hmac
    Router1(config)# crypto map MYCRYPTOMAP 10 ipsec-isakmp
    Router1(config-crypto-map)# set peer 192.168.1.1
    Router1(config-crypto-map)# set transform-set MYTRANSFORMSET
    Router1(config-crypto-map)# match address 100
    Router1(config-crypto-map)# exit
    Router1(config)# interface serial0/0/0
    Router1(config-if)# crypto map MYCRYPTOMAP
    

Step 4: Configure Access Control Lists

  • Define ACLs on both routers to permit traffic over the VPN:
    • On Router0:
    Router0(config)# access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
    
    • On Router1:
    Router1(config)# access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
    

Step 5: Verify the VPN Connection

  • Use the following command on both routers to check the IPsec status:
    Router0# show crypto isakmp sa
    Router1# show crypto isakmp sa
    
  • Look for established connections.

Conclusion

You have successfully configured a Site-to-Site IPsec VPN between two Cisco routers using Packet Tracer. This configuration enhances secure communication between networks. As a next step, consider testing the connectivity between the PCs or explore additional VPN configurations like remote access VPNs.