IPSec VPN using Cisco Packet Tracer

Use a crossover cable to connect the routers together.

We are using the 1941 Routers for this topology.

Connect the other devices together using a straight

through cable connection.
Perform initial router configuration

Attempt pinging across from Laptop0 to Laptop1. This should fail as R_02 does
not know how to route this traffic
Ensure that you have the security license enabled on R_01 and R_03.
A security license must be installed to enable hardware based crypto support.
These licenses limit all encrypted tunnel counts to 225 tunnels maximum for IP
Security (IPsec). If the securityk9 technology-package is not installed, the
crypto related functions will not work.

(config)show version
(config)license boot module c1900 technology-package
securityk9
copy run start
reload 
show version

IPSec VPN Configuration

Setup an ACL that will specify which interesting traffic that will be allowed to pass through the tunnel.

!R_01
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.3.0
0.0.0.255
 
!R_03
access-list 100 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
Once ISAKMP is enabled, there are five policy parameters that need to be
defined to each policy entry. If no policy is defined, a policy using all of the
defaults will be used. When creating a policy, if no explicit policy parameter is
defined, the default parameter will be used. The policy parameters and default
values are:

1. IKE policy encryption with Data Encryption Standard (DES) as the

default,

2. IKE policy hash with Secure Hash Standard-1 (SHA-1) as the default,

3. IKE key exchange with Diffie-Hellman Group 1 (768-Bit) as the default,

4. IKE lifetime with a one-day (86,400 seconds) lifetime as the default, and

5. IKE authentication with RSA public key as the default.

Each ISAKMP policy is assigned a unique priority number between 1 and

10,000. The policy with priority number 1 is considered the highest priority
policy. The policy negotiation starts with the policy numbered closest to 1. It is
common practice to start policy numbering at 10, this way if you need to insert
policy with a higher priority once the router is in production you have some
space to work with

The first parameter we need to define is the encryption algorithm. Common

practice is to use DES or 3DES, but if the option is available, use AES-256.

The next step is to define the ISAKMP hash algorithm. The IOS supports two
hash protocols: Message-Digest algorithm 5 and Secure Hash Algorithm.
Message-Digest algorithm 5 (MD5) is a single-pass hash algorithm that
generates a 128-bit hash. Ex. #hash sha

Here in the below code we have used the pre shared key for the
authentication.

Next we define what Diffie-Hellman (DH) modulus will be used. The original
RFC defined two; DH Group 1 uses a 768-bit modulus and DH Group 2 uses
a 1024-bit modulus. The larger the value, the more random the key and the
more secure the key is. IOS supports Group 1, Group 2 and Group 5. DH
Group 5 uses a 1536-bit modulus. Common practice is to use Group 2,
because Group 5 is not supported on all IOS versions and is not supported by
the Cisco VPN client.

define the ISAKMP policy

!R_01
crypto isakmp policy 10
    encryption aes 256
    authentication pre-share
    group 5
!
crypto isakmp key Secret-2020 address
100.100.200.1
 
!R_03
crypto isakmp policy 10
    encryption aes 256
    authentication pre-share
    group 5
!
crypto isakmp key Secret-2020 address 100.100.100.1

IPSec Transforms
An IPSec transform specifies a single IPSec security protocol (either AH or ESP)
with its corresponding security algorithms and mode. Example transforms
include the following:

The AH protocol with the HMAC with MD5 authentication algorithm in tunnel
mode is used for authentication.
The ESP protocol with the triple DES (3DES) encryption algorithm in transport
mode is used for confidentiality of data.

The ESP protocol with the 56-bit DES encryption algorithm and the HMAC with
SHA-1 authentication algorithm in tunnel mode is used for authentication and
confidentiality.

Transform Sets
A transform set is a combination of individual IPSec transforms designed to
enact a specific security policy for traffic. During the ISAKMP IPSec security
association negotiation that occurs in IKE phase 2 quick mode, the peers agree
to use a particular transform set for protecting a particular data flow.
Transform sets combine the following IPSec factors:

Mechanism for payload encryption—ESP transform

Mechanism for payload authentication—AH transform

IPsec Transform-set

! R_01
crypto ipsec transform-set R_01-R_03 esp-aes 256 esp-sha-hmac
 
! R_03
crypto ipsec transform-set R_03-R_01 esp-aes 256 esp-sha-hmac
A crypto map is a software configuration entity that performs two primary
functions:
• Selects data flows that need security processing.
• Defines the policy for these flows and the crypto peer to which that traffic
needs to go.
A crypto map is applied to an interface

create a crypto map that glues all the policies together. Also, specify the IP address
of the remote peer.

defining the crypto map

!R_01
crypto map IPSEC-CRYPTOMAP 100 ipsec-isakmp
 set peer 100.100.200.1
 set pfs group5
 set security-association lifetime seconds 86400
 set transform-set R_01-R_03
 match address 100
 
!R_03
crypto map IPSEC-CRYPTOMAP 100 ipsec-isakmp
 set peer 100.100.100.1
 set pfs group5
 set security-association lifetime seconds 86400
 set transform-set R_03-R_01
 match address 100 // Specifies an extended access list for a crypto
map entry.

Activate IPSec on the outbound interface by applying the crypto map to the
interface

!R_01
interface GigabitEthernet0/0
 crypto map IPSEC-CRYPTOMAP
 
!R_03
interface GigabitEthernet0/0
 crypto map IPSEC-CRYPTOMAP

start pings through the tunnel

!Laptop0
ping 172.16.3.100
 
!Laptop1
ping 172.16.1.100

lets verify that the tunnel is up and running

!R_01
show crypto ipsec sa
 
!R_03
show crypto ipsec sa

R_01#show crypto ipsec sa

 
interface: GigabitEthernet0/0
    Crypto map tag: IPSEC-MAP, local addr 100.100.100.1
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   remote  ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
   current_peer 100.100.200.1 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0
   #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 1, #recv errors 0
 
     local crypto endpt.: 100.100.100.1, remote crypto endpt.:100.100.200.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xD0212CD7(3491835095)
 
     inbound esp sas:
      spi: 0x90BB08EE(2428176622)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2005, flow_id: FPGA:1, crypto map: IPSEC-MAP
        sa timing: remaining key lifetime (k/sec): (4525504/86381)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0xD0212CD7(3491835095)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2006, flow_id: FPGA:1, crypto map: IPSEC-MAP
        sa timing: remaining key lifetime (k/sec): (4525504/86381)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE
 
     outbound ah sas:
 
     outbound pcp sas: