Cisco – How To configure an IPSec VPN
Posted by Josh on Sat 13 Oct 2007Categories: Cisco , Cisco Routers - [75] Comments
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization’s network. The following tutorial will show you how to connect two locations together with an IPSec VPN using pre-shared authentication.
Broadband prices get lower and lower while speeds keep getting faster and faster. Although VPNs have mostly been used for non-critical, low traffic connections, many companies are looking to the internet for primary connectivity.
There are 5 basic steps to configure a vpn using cisco routers.
1) Configure the ISAKMP policy
2) Configure the ISAKMP pre-shared key
3) Configure the IPSec transform-set
4) Configure an access-list to identify traffic to be encrypted
5) Configure a crypto map to tie steps 2 – 4 together.
6) Apply the crypto map to the external interface.
| Configure router R1 |  |
| Configure router R2 | |
Download the ipsec.net config file and ISP router configuration here.
October 15th, 2007 at 12:02 am
good job!
October 15th, 2007 at 4:59 am
Great !!!
Would you provide example for Remote Access VPN?
October 16th, 2007 at 8:03 am
Remote Access VPN is on the list of future tutorials.
October 17th, 2007 at 1:18 am
Hi
please provide an example for configure ipsec between cisco router and Microsoft windows or linux
thanks
October 30th, 2007 at 2:33 pm
Hey, cool VPN video…can I download a copy it?
Thx!
Jason
November 12th, 2007 at 1:16 pm
WOW…Cool stuff, very usefull … Keep the good work sir..
I will keep in back to browse Blindhog..
Many Thanks.
November 23rd, 2007 at 7:00 pm
nice …do you know anything about router rip..and how to retrive lost passwords on a cisco router when it crash..??
November 23rd, 2007 at 11:52 pm
Sure. Do you need help with it or would you like a tutorial?
November 29th, 2007 at 4:15 pm
How to u configure the internet cloud?u have only talked of the 2 routers.
Please help
November 29th, 2007 at 9:09 pm
Sure. You can download a zip file with the ipsec.net and ISP router config HERE
December 5th, 2007 at 8:49 am
Which IOS is this? From my 3640 I can’t use the crypto isakmp commands.
December 5th, 2007 at 1:56 pm
You will need an encryption image.
December 11th, 2007 at 12:50 am
I did this by using 3725 router with ipsec enabled image.For ISP I used 3640 router.
Thx a lot.
December 21st, 2007 at 6:47 pm
I WOULD LIKE INFO ON ROUTER RIP CAN YOU SEND ME SOMETHING ON LOST PASS WORDS AT KOOL2BME1@YAHOO.COM…WOULD GREATLY APPRECIATE IT
December 23rd, 2007 at 9:22 am
RIP
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=xv7&q=how+to+configure+rip&btnG=Search
Lost Password
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=HGn&q=cisco+lost+password&btnG=Search
January 24th, 2008 at 4:57 pm
That was awesome and exactly what I was looking for!! Thank you!
February 2nd, 2008 at 9:47 am
I can’t thankyou enough for this tutorial. I have searched hi and low for a step by step to do just this.
You are the man!!!!!!
Thanks again for such a good tutorial
February 4th, 2008 at 1:58 pm
Great video,
Do you have any configureation tutorials doing the same thing using IPsec,
Between Cisco 3000 VPN Consentrator / Cisco 851
Been looking al over and caint find much on these two. With the info provided though will try and set something up
March 12th, 2008 at 11:12 am
Forgive my ignorance – but which IOS images contain encryption? I’ve got a whole library of IOS images! (I know this could open a can of worms explaining the whole naming convention thing! But just the basic of what to look for will do! Thanks in advance!)
March 12th, 2008 at 4:21 pm
If you have a cisco.com account, you can go to
http://www.cisco.com/go/fn
Use the feature navigator to find out what capabilities a particular image has.
March 13th, 2008 at 4:49 am
Dude! That’s exactly what I’m looking for. Cheers mate!
April 26th, 2008 at 1:49 pm
Would you provide example for pix-to-pix vpn?
April 29th, 2008 at 11:29 am
Is the VPN relationship 1:1 or 1:many? I.e. if I have two remote offices, can I get away with just one 851 at the home office, or does the home office need a separate router for each remote office?
April 29th, 2008 at 8:31 pm
Mule,
The VPN is a 1:many or many to many. You can have one router at the home office. The key that you have to use the same crypto map name.
crypto isakmp key R4zorb4ck address 23.45.67.2
crypto isakmp key R4zorb4ck address 34.56.78.2
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto map vpn 10 ipsec-isakmp
match address 101
set peer 23.45.67.2
set transform-set esp-aes-sha
crypto map vpn 20 ipsec-isakmp
match address 102
set peer 34.56.78.2
set transform-set esp-aes-sha
int s0/0
crypto map vpn
Josh
May 2nd, 2008 at 9:00 am
Josh,
Thanks for the answer and the additional detail. The example you gave shows two remotes with static IPs. Is a similar configuration possible with dynamic IPs? The scenario is a home office with three telecommuters. We want to extend both our network and phone system to them over VPN, but I doubt they have static IPs at home. It would be worth the extra $ to get them a static, but for at least one user that might not be an option.
May 13th, 2008 at 12:35 pm
Thanks for making the configurations so clear and easy to follow. Your configs were a main resource for me setting up an IPSec VPN for my employeer. Thanks again!!!
May 21st, 2008 at 1:18 pm
that is just great……and its reallyy helpful. Good Job!!!!
June 9th, 2008 at 2:53 am
v v v god job done
June 10th, 2008 at 2:26 am
Very Goog job ……………. Thanks
pls. send some OSPF tutorial/Configuration links
-Riton
June 23rd, 2008 at 5:01 am
Hello.
I have a problemem using crypto command.
Can you provide a IOS or only its nate you used for this turorial?
I can’t find any encription image.
Thanks.
August 25th, 2008 at 8:49 pm
Man very good but how can i configure this with split tunneling.
Thanks
August 28th, 2008 at 8:44 pm
Thank you for the great info. I was able to get 3 tunnels successfully created.
I am not able to use RDP over any of them though, and after googling the issue I see I am not alone. Can you provide information on what steps are necessary to allow RDP over an IPSEC tunnel?
August 28th, 2008 at 9:56 pm
Tom,
It might be an MTU issue. Try adding ‘crypto ipsec df-bit clear’ in global config mode.
Josh
September 1st, 2008 at 9:49 pm
Brilliant work. great explanation.
September 4th, 2008 at 10:56 am
[...] ensure security. If you would like to see a video tutorial on how to setup and IPSEC VPN please click here. Hopefully tomorrow I can get something up on AH and [...]
November 13th, 2008 at 3:34 pm
You can see the version of IOS from the first screen of the tutorial. When the system boots up to the run menu option, you can see the version and level.
I have a small problem when I tried it. I don’t have serial ports. What blades did you use for 0 and 1? I used the following IOS: Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(5a), RELEASE SO ^FTWARE (fc3). I know yours was 12.4(16), but is there that much difference from these levels? Any thoughts?
November 21st, 2008 at 11:02 am
Awesome job!!!! Very informative. Can you provide the same for a remote access VPN connection?
Thanks
November 26th, 2008 at 7:04 am
John,
Once I am finished with the virtual voice lab, I might look into doing a remote access vpn tutorial.
Josh
November 30th, 2008 at 6:24 am
Keep up the brilliant jobs Bro … will keep in browse into blindhog in the future, and hope to learn the remote access VPN from you…
THANKS THANKS THANKS !!!
January 29th, 2009 at 4:39 pm
Very Good!
I have difficulties to shape a router for remote login from a static IP with ssh, from the lan ssh it works but not from external interface.
Assuming external interface ATM0 and remote IP 79.1.X.X how to qualify ssh? Thanks Thousands!
February 16th, 2009 at 4:59 am
Hi there
I am not sure if I have missed out anything, but I have download the ipsec.net config files and tried it out. The only changes I made are to the file path.
These are the issues which I encountered
1) when I tried to ping the 192.168.2.254 from R1 I get ‘U.U.U’
2) when I ‘show crypto session’ it shows that the IP Sec is down.
Is there anything I missed?
Thanks in Advance
February 24th, 2009 at 11:03 am
great tutorial!
is there any news on the Remote Access VPN tutorial that was promised?
February 24th, 2009 at 9:59 pm
len,
Yes, it has been put on hold. I have been working on the virtual voice lab tutorial series instead.
Josh
February 25th, 2009 at 11:56 am
Hi Josh,
Would it be possible to post an example config, if you have one, or point me to a suitable www site?
It would be greatly appreciated!
Thanks
February 26th, 2009 at 7:11 am
len,
I will try to come up with a sample config for you. Sorry my intentions shifted focus.
Josh
February 26th, 2009 at 10:25 am
Thanks.
One last question, on the ipsec vpn solution above: in practice, is it advised to hide both of the cisco routers behind firewalls, permitting only ipsec traffic?
Without using firewalls, how can i secure each device to ensure that no unauthorised internet access or traffic can use the vpn tunnel?
Thanks
February 28th, 2009 at 9:34 am
Gud show
March 2nd, 2009 at 1:07 pm
very very good
very nice to see this
March 5th, 2009 at 9:13 pm
Len,
In this configuration, you should use access-lists and CBAC to insure security.
Another thing you can do is to remove the gateway of last resort (default gateway) from your router and only insert static routes to the other vpn routers just for good measure.
Josh
Josh
March 5th, 2009 at 9:28 pm
Len,
This link should help.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html
Josh
March 25th, 2009 at 8:37 pm
Very useful…..
March 26th, 2009 at 10:19 am
Hi Josh,
I have setup your example above, which works perfectly. However, is it possible to have multiple crypto mappings on a single interface? Im hoping to configure multiple ispec vpns on a central, ‘hub-sytle’ router which can support several tunnels.
Thanks
Len
April 19th, 2009 at 7:45 am
len,
Yes, you can have multiple crypto maps on an interface. Just do it like this.
crypto map newvpn 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set STRONG
match address 102
crypto map newvpn 11 ipsec-isakmp
set peer 10.1.1.3
set transform-set STRONG
match address 103
crypto map newvpn 12 ipsec-isakmp
set peer 10.1.1.4
set transform-set STRONG
match address 104
interface Fa0/0
crypto map newvpn
Josh
August 1st, 2009 at 12:23 am
Hi,
Thank you for such a wonderful tutorial!!!!
pls add the configuration for remote access vpn!!!
Thanks a lot!!!
August 27th, 2009 at 4:50 pm
excelent!
thanks you!
October 29th, 2009 at 9:17 am
Nice, thanks for the tutorial.
November 1st, 2009 at 6:24 am
This is what I was looking for.
Thanks a lot !!!
November 1st, 2009 at 3:44 pm
I just tried and it works. This is just great.
Thanks, Thanks, Thanks
November 3rd, 2009 at 5:08 am
It is an Awesome one..You are simply great & god bless. No Words to say:) I was actually looking for a dynamic internet ip[adsl] – VPN setup [with Dyndns or no-ip] for remote VPN users. Can you please guide on it or where can I get similar guidance.
November 9th, 2009 at 11:08 am
Hello Josh … this example was interesting, but i would like to know…how will be, if we want a vpn over ip sec with different device in both sites, for example Juniper (ADSL Connection)in one and ASA 5110 in the other side. Thanks a lot for you attention.
Thanks
November 12th, 2009 at 6:04 pm
Is this a VPN transport mode ?
November 19th, 2009 at 1:27 am
Hi
Great video.when you configred fast ethernet port, you use the no keepalive command.i presume this is because no actual cable is plugged into the port and the no keepalive command fools the port into thinking that it is up all the time,correct?
December 21st, 2009 at 1:26 am
Hi, great job.
I would like to know how to setup the site to site vpn using ddns. In my senario i am using Cisco at HO and sonicwall at remote end. for an info i have already configured this and working flawlessly,but as soon as dyndns IP chages occured at site we loose the tunnel.The Cisco is having leased line and sonicwall is on ADSL where i have configured the ddns in modem provided by ISP and port forwarding to sonicwall at remote site.
It will be greatly appreciated if you guys help me on this.
Regards,
Ashish Vaishya
February 12th, 2010 at 4:38 pm
What a goo post¡¡¡¡
I am doing my Final Job about IPSec VPN on Cisco and this post is very very helpfull.
Thank you so much
February 14th, 2010 at 4:52 am
Hi,
good day.I would like to know how to setup the site to multi site vpn using cisco router. In my senario i am using Cisco 2811 at Head office and some cisco 2610 at remote end.
It will be greatly appreciated if you guys help me on this issus.
With Best Regards,
M Crown
March 23rd, 2010 at 1:19 pm
Hello,
thank you very much for this help!^^
I used three 1841 for this test, and configure only FastEthernet interfaces.
Nevertheless i can not ping the other side of the Vpn…i do not have exactly the same configuration of the ISP router : for exemple i have “Ip Classless” but do not have “Ip Cef”.
Do you think it is why i can ping through the Vpn?
Thanks fot your time
.
April 22nd, 2010 at 4:03 pm
Brice: I’ll assume you are using an xDSL connection, if so, try using the Dialer0 Interface, these are your external interfaces unless you are told that you are using the FE interface. Most configs you see for and from Cisco are more likely setup in a test lab where either the connection is either a serial interface or ethernet interface.
Josh – quick question need to connect an C1841 router to a Netgear DG834 router, using IPSEC, is there any tricks I need to perform on the NetGear to allow the VPN tunnel to work. Also I need to configure QoS on C1841 for VoIP and RDP protocols only.
Thanks
May 20th, 2010 at 11:50 am
Excellent article!.
Would you provide example for Remote Access VPN? I want to learn it.
Many thanks, from Arg.
Germán
June 21st, 2010 at 2:21 pm
Hi Users! This software is great!!!
Someone could test with this software Remote Access VPN ??? and for the other hand i installed a linux machine host in GNS3. Someone know where i can download a windows test machine ? because i would like t test a Remote Access VPN installing the vpn cisco software.
Thz
July 3rd, 2010 at 12:14 pm
Say how to create one site have static public ip and other remote site have dynamic public ip ,how to create IPSEC vpn through the Internet
im very appreciate if u could explain
regards
Rajeewa
July 17th, 2010 at 4:36 pm
This is amazingly kewl, made me understand stuff i never did.
Aj.
July 26th, 2010 at 9:50 am
hi! sorry my ignorance but I’m starting to configure cisco equipments.
the video is great, but I want to configure a vpn Internet -> Router with cisco client to access the vpn.
Any help?
July 27th, 2010 at 8:18 pm
Rajeewa,
You would need to use DMVPN or EzVPN if one side has a dynamic ip address.
Josh
July 27th, 2010 at 8:26 pm
Pedro,
I need to put a tutorial together for that. I have had a lot of requests.
Josh
August 21st, 2010 at 3:04 am
the video based explanation is very help full for beginners.this gives a feel of practical experience.