In this lesson, I will show you how to configure two Cisco IOS routers to use IPSec in Tunnel mode. This means that the original IP packet will be encapsulated in a new IP packet and encrypted before it is sent out of the network. For this demonstration I will be using the following 3 routers:
R1 and R3 each have a loopback interface behind them with a subnet. We’ll configure the IPsec tunnel between these two routers so that traffic from 1.1.1.1/32 to 3.3.3.3/32 is encrypted. R2 is just a router in the middle so that R1 and R3 are not directly connected. Let’s start with the configuration on R1!
Configuration
First, we will configure the phase 1 policy for ISAKMP where we configure the encryption (AES) and use a pre-shared key for authentication. We use DH group 2:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2For each peer, we need to configure the pre-shared key. I’ll pick something simple like “MYPASSWORD” :
R1(config)#crypto isakmp key 0 MYPASSWORD address 192.168.23.3Now we’ll configure phase 2 with the transform-set:
R1(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes esp-sha-hmacAnd put everything together with a crypto map. Our peer is 192.168.23.3, the transform-set is called MYTRANSFORMSET and everything that matches access-list 100 should be encrypted by IPSEC:
R1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp
R1(config-crypto-map)#set peer 192.168.23.3
R1(config-crypto-map)#set transform-set MYTRANSFORMSET
R1(config-crypto-map)#match address 100The access-list matches all traffic between 1.1.1.1 and 3.3.3.3:
R1(config)#access-list 100 permit ip host 1.1.1.1 host 3.3.3.3We need to make sure our router knows how to reach 192.168.23.3 and also tell it that it can reach 3.3.3.3 through 192.168.23.3:
R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 3.3.3.3 255.255.255.255 192.168.23.3Last but not least, we’ll activate the crypto map on the interface:
R1(config)#interface fa0/0
R1(config-if)#crypto map CRYPTOMAPThat’s all we have to do on R1. Now we’ll create a similar configuration on R3:
Geia sou Lazare ,
your answered me very clear and you have simplified it for me . Are there any sources that you know that they can help me to learn more about IPsec . Not about configuraton because Rene explains about it very nice but for details about the protocols that we use . Like could we use HMAC with PKI player ( private- public key )instead for pre-share key authentication ? Now you understand how much confuse my mind all these concepts.
Thanks a lot
Hello Laz ,
It is helpful
Thanks again about the information you have gave me
Hello Heng
A hash function is a function or algorithm that can be used to map data of any size to a set of data of fixed size. So you can for example take various names of various lengths, process them through a hash function and come up with a set of data of fixed size, two digits for example, as shown in the following diagram:
//cdn-forum.networklessons.com/uploads/default/original/2X/4/4e30164449028000653ecf72670aa0ce1a6c32ec.png
The input of a hash function is called a key and the output is called a hash.Hash functions can be useful in cryptography if the
... Continue reading in our forumHi Laz
Thank you it help me a lot.
Sovandara
I have followed the same steps to config the ipsec tunnel.
... Continue reading in our forumBut could not do it.I got the below debug log.But when I have tried to do this by only placing 2 router it worked.But when the third router is in the place I could not do it.