top of page
Search
Writer's pictureMukesh Chanderia
Nov 5, 20224 min read

IPsec VPN Configuration

Updated: Nov 10, 2022

Let's have a look at ip address of two site for which we need to configure site to site VPN




Let's configure Router A


Step 1: Create an ISAKMP policy for Phase 1 negotiations for the L2L tunnels.


crypto isakmp policy 10

encryption aes

hash sha256

authentication pre-share

group 14


IKEv1 Phase 1.5


Also, known as client mode. In this ASA will ask the client its identity and the client usually responds with it's either credential, certificate, or both.


Step 2: Specify the pre-shared key and the remote peer address to match for the L2L tunnel.


crypto isakmp key vpnuser address 10.0.0.2


Step 3: Create the Phase 2 policy for IPsec negotiation.


crypto ipsec transform-set myset esp-aes esp-sha256-hmac


Step 4: Create an ACL for the traffic to be encrypted.


In this example, the traffic from 10.1.1.0/24 to 172.16.2.0/24 is encrypted. The traffic which does not match the access list is unencrypted for the Internet.


access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255


Step 5: Create the actual crypto map. Specify an access control list (ACL),

which defines the proxy identities (local and remote host/networks).


crypto map mymap 10 ipsec-isakmp

set peer 10.0.0.2

set transform-set myset

match address 100


interface GigabitEthernet0/1 (Local Network)

ip address 10.1.1.2 255.255.255.0


Step 6: Apply the crypto map on the outside interface.


interface GigabitEthernet0/0 (Remote Network)

ip address 172.16.1.1 255.255.255.0

crypto map mymap


Route to the default gateway


ip route 0.0.0.0 0.0.0.0 172.16.1.2



Let's configure Router B


Step 1: Create an ISAKMP policy for Phase 1 negotiations for the L2L tunnels.


crypto isakmp policy 10

encryption aes

hash sha256

authentication pre-share

group 14


Step 2: Specify the pre-shared key and the remote peer address

to match the L2L tunnel.


crypto isakmp key vpnuser address 172.16.1.1


Step 3: Create the Phase 2 policy for IPsec negotiation.


crypto ipsec transform-set myset esp-aes esp-sha256-hmac


Step 4: Create an ACL for the traffic to be encrypted.


In this example, the traffic from 172.16.2.0/24 to 10.1.1.0/24 is encrypted. The traffic which does not match the access list is unencrypted for the Internet.


access-list 100 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255


Step 5: Create the actual crypto map.


Specify an access control list (ACL),

which defines the proxy identities (local and remote host/networks).


!

crypto map mymap 10 ipsec-isakmp

set peer 172.16.1.1

set transform-set myset

match address 100


interface GigabitEthernet0/1

ip address 172.16.2.1 255.255.255.0

!


Step 6: Apply the crypto map on the outside interface.


interface GigabitEthernet0/0

ip address 10.0.0.2 255.255.255.0

crypto map mymap


Route to the default gateway.


ip route 0.0.0.0 0.0.0.0 10.0.0.1



Verify Site-2-Site VPN


show crypto IPSec sa


Shows the settings, number of encaps and decaps, local and remote proxy identities, and Security Parameter Indexes (SPIs) (inbound and outbound) used by current Security Associations (SAs).


RouterA#show crypto ipsec sa


interface: Serial2/0

Crypto map tag: mymap, local addr 172.16.1.1


protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

current_peer 10.0.0.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 21, #pkts encrypt: 21, #pkts digest: 21

#pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.0.0.2

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x8767D399(2271728537)

PFS (Y/N): N, DH group: none


inbound esp sas:

spi: 0x6E210372(1847657330)

transform: esp-aes esp-sha256-hmac ,

in use settings ={Tunnel, }

conn id: 2007, flow_id: Onboard VPN:7, sibling_flags 80004040, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4338240/3269)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)


inbound ah sas:


inbound pcp sas:


outbound esp sas:

spi: 0x8767D399(2271728537)

transform: esp-aes esp-sha256-hmac ,

in use settings ={Tunnel, }

conn id: 2008, flow_id: Onboard VPN:8, sibling_flags 80004040, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4338240/3269)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)


outbound ah sas:


outbound pcp sas:

show crypto isakmp sa


Shows all current IKE SAs and their status.


RouterA#show crypto isakmp sa

dst src state conn-id slot status

10.0.0.2 172.16.1.1 QM_IDLE 1 0 ACTIVE


show crypto map


Shows the crypto map structure created with:


Name of the crypto map and sequence number

Peer address

Name of the ACL applied along with the local and remote proxy identities

Values of the IPsec transform-set used

Interface on which the crypto map is binded


RouterA#show crypto map


Crypto Map IPv4 "mymap" 10 ipsec-isakmp

Peer = 10.0.0.2

Extended IP access list 100

access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255

Current peer: 10.0.0.2

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

myset: { esp-aes esp-sha256-hmac } ,

}

Interfaces using crypto map mymap:

GigabitEthernet0/0


RouterB#show crypto map

Interfaces using crypto map NiStTeSt1:


Crypto Map IPv4 "mymap" 10 ipsec-isakmp

Peer = 172.16.1.1

Extended IP access list 100

access-list 100 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Current peer: 10.0.0.1

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

myset: { esp-aes esp-sha256-hmac } ,

}

Interfaces using crypto map mymap:

GigabitEthernet0/0


show crypto session remote <IP address of peer VPN endpoint> detail


RouterA#show crypto session remote 10.0.0.2 detail

Crypto session current status


Interface: GigabitEthernet0/0

Uptime: 00:39:16

Session status: UP-ACTIVE >>>>> Status of the VPN

Peer: 10.0.0.2 port 500 fvrf: (none) ivrf: (none)

Phase1_id: 10.0.0.2

Desc: (none)

Session ID: 0

IKEv1 SA: local 172.16.1.1/500 remote 10.0.0.2/500 Active

Capabilities:(none) connid:1004 lifetime:23:20:43

IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 172.16.2.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 21 drop 0 life (KB/Sec) 4338240/1243

Outbound: #pkts enc'ed 21 drop 0 life (KB/Sec) 4338240/1243



RouterB#show crypto session remote 172.16.1.1 detail

Crypto session current status


Interface: GigabitEthernet0/0

Uptime: 00:40:43

Session status: UP-ACTIVE >>>>> Status of the VPN

Peer: 172.16.1.1 port 500 fvrf: (none) ivrf: (none)

Phase1_id: 172.16.1.1

Desc: (none)

Session ID: 0

IKEv1 SA: local 10.0.0.2/500 remote 172.16.1.1/500 Active

Capabilities:(none) connid:1004 lifetime:23:19:16

IPSEC FLOW: permit ip 172.16.2.0/255.255.255.0 10.1.1.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 21 drop 0 life (KB/Sec) 4271304/1156

Outbound: #pkts enc'ed 21 drop 0 life (KB/Sec) 4271304/1156

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.



Debug Commands


debug crypto isakmp - Displays the ISAKMP negotiations of Phase 1.


debug crypto ipsec - Displays the IPsec negotiations of Phase 2.





27 views0 comments

Recent Posts

See All

Comments

bottom of page