Cisco IOS routers can be used to setup IPSec VPN tunnel between two sites. In this post, I will show steps to Configure IPSec VPN With Dynamic IP in Cisco IOS Router. This VPN configuration is different from Site to Site IPSec VPN with static IP address on both ends.
Configure IPSec VPN With Dynamic IP in Cisco IOS Router
The scenario below shows two routers R1 and R2 where R2 is getting dynamic public IP address from ISP. R1 is configured with static IP address of 70.54.241.1/24 as shown below. Both routers have very basic setup like, IP addresses, NAT Overload, default route, hostnames, SSH logins, etc.
There are two phases in IPSec configuration called Phase 1 and Phase 2. Let’s start the configuration with R1. Before you start configuring the IPSec VPN, make sure both routers can ping each other. I have already verified that both routers can ping each other so let’s start the VPN configuration.
Step 1. Configuring IPSec Phase 1 (ISAKMP Policy)
R1(config)#crypto isakmp policy 5 R1(config-isakmp)#hash sha R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#lifetime 86400 R1(config-isakmp)#encryption 3des R1(config-isakmp)#exit R1(config)#crypto isakmp key cisco@123 address 0.0.0.0 0.0.0.0
Here is the details of each commands used above,
- crypto isakmp policy 5 – This command creates ISAKMP policy number 5. You can create multiple policies, for example 7, 8, 9 with different configuration. Routers participating in Phase 1 negotiation tries to match a ISAKMP policy matching against the list of policies one by one. If any policy is matched, the IPSec negotiation moves to Phase 2.
- hash sha – SHA algorithm will be used.
- authentication pre-share – Authentication method is pre-shared key.
- group 2 – Diffie-Hellman group to be used is group 2.
- encryption 3des – 3DES encryption algorithm will be used for Phase 1.
- lifetime 86400 – Phase 1 lifetime is 86400 seconds.
- crypto isakmp key cisco@123 address 0.0.0.0 0.0.0.0 – The Phase 1 password is cisco@123 and remote peer is any. Any destination can try to negotiate with this router.
Step 2. Configuring IPSec Phase 2 (Transform Set)
R1(config)#crypto ipsec transform-set MY-SET esp-aes 128 esp-md5-hmac R1(cfg-crypto-trans)#crypto ipsec security-association lifetime seconds 3600
Here is the detail of command used above,
- crypto ipsec transform-set MY-SET – Creates transform-set called MY-SET
- esp-aes – AES encryption method and ESP IPSec protocol will be used.
- esp-md5-hmac – MD5 hashing algorithm will be used.
- crypto ipsec security-association lifetime seconds – This is the amount to time that the phase 2 session exists before re-negotiation.
Step 3. Configuring Extended ACL for interesting traffic.
R1(config)#ip access-list extended VPN-TRAFFIC R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
This ACL defines the interesting traffic that needs to go through the VPN tunnel. Here, traffic originating from 192.168.1.0 network to 192.168.2.0 network will go via VPN tunnel. This ACL will be used in Step 4 in Crypto Map. Note: – The interesting traffic must be initiated from PC2 for the VPN to come UP.
Step 4. Configure Dynamic Crypto Map.
R1(config)#crypto map MY-CRYPTO-MAP 10 ipsec-isakmp dynamic IPSEC-SITE-TO-SITE-VPN
Above command creates a crypto map that will be used under the interface configuration.
R1(config)#crypto dynamic-map IPSEC-SITE-TO-SITE-VPN 10 R1(config-crypto-map)#set security-association lifetime seconds 86400 R1(config-crypto-map)#set transform-set MY-SET R1(config-crypto-map)#match address VPN-TRAFFIC
Above configuration creates a dynamic crypto map named IPSEC-SITE-TO-SITE-VPN with sequence number 10. If you have more than one remote site with dynamic IP address then you can configure additional dynamic map with different sequence number, say 20. For example, crypto dynamic-map IPSEC-SITE-TO-SITE-VPN 20.
Step 5. Apply Crypto Map to outgoing interface of R1.
R1(config)#int fa0/0 R1(config-if)#crypto map MY-CRYPTO-MAP *Mar 1 01:09:24.447: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Step 6. Exclude VPN traffic from NAT Overload.
R1(config)#ip access-list extended 101 R1(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any R1(config-ext-nacl)#exit R1(config)#ip nat inside source list 101 interface FastEthernet0/0 overload
Above ACL 101 will exclude interesting traffic from NAT.
Now, let’s configure R2.
Step 1. Configuring IPSec Phase 1 (ISAKMP Policy)
R2(config)#crypto isakmp policy 5 R2(config-isakmp)#hash sha R2(config-isakmp)#authentication pre-share R2(config-isakmp)#group 2 R2(config-isakmp)#lifetime 86400 R2(config-isakmp)#encryption 3des R2(config-isakmp)#exit R2(config)#crypto isakmp key cisco@123 address 70.54.241.2
Step 2. Configuring IPSec Phase 2 (Transform Set)
R2(config)#crypto ipsec transform-set MY-SET esp-aes 128 esp-md5-hmac R2(cfg-crypto-trans)#crypto ipsec security-association lifetime seconds 3600
Step 3. Configuring Extended ACL for interesting traffic.
R2(config)#ip access-list extended VPN-TRAFFIC R2(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Step 4. Configure Crypto Map.
R2(config)#crypto map MY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)# set peer 70.54.241.2
R2(config-crypto-map)# set transform-set MY-SET
R2(config-crypto-map)# match address VPN-TRAFFIC
Step 5. Apply Crypto Map to outgoing interface
R2(config)#int fa0/1 R2(config-if)#crypto map MY-MAP *Mar 1 19:16:14.231: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Step 6. Exclude VPN traffic from NAT Overload.
R1(config)#ip access-list extended 101 R1(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 R1(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any R1(config-ext-nacl)#exit R1(config)#ip nat inside source list 101 interface FastEthernet0/1 overload
Verification and testing.
To test the VPN connection let’s ping from R1 to PC2.
R1#ping 192.168.2.1 source 192.168.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/54/56 ms
As you can see, the ping from R1 to PC2 is successful. Don’t forget to ping from inside IP address while testing the VPN tunnel from the router. You can also ping from PC1 to PC2.
To verify the IPSec Phase 1 connection, type show crypto isakmp sa as shown below.
R1(config)#do show crypto isa sa dst src state conn-id slot status 199.88.212.2 70.54.241.2 QM_IDLE 1 0 ACTIVE
To verify IPSec Phase 2 connection, type show crypto ipsec sa as shown below.
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MY-CRYPTO-MAP, local addr 70.54.241.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 199.88.212.2 port 500
PERMIT, flags={}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 70.54.241.2, remote crypto endpt.: 199.88.212.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB015532F(2954187567)
In this way you can configure IPSec VPN With Dynamic IP in Cisco IOS Router.
