Cisco IPsec Tunnel Mode Configuration

In this lesson, I will show you how to configure two Cisco IOS routers to use IPSec in Tunnel mode. This means that the original IP packet will be encapsulated in a new IP packet and encrypted before it is sent out of the network. For this demonstration I will be using the following 3 routers:

R1 and R3 each have a loopback interface behind them with a subnet. We’ll configure the IPsec tunnel between these two routers so that traffic from 1.1.1.1/32 to 3.3.3.3/32 is encrypted. R2 is just a router in the middle so that R1 and R3 are not directly connected. Let’s start with the configuration on R1!

Configuration

First, we will configure the phase 1 policy for ISAKMP where we configure the encryption (AES) and use a pre-shared key for authentication. We use DH group 2:

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#group 2

For each peer, we need to configure the pre-shared key. I’ll pick something simple like “MYPASSWORD” :

R1(config)#crypto isakmp key 0 MYPASSWORD address 192.168.23.3

Now we’ll configure phase 2 with the transform-set:

R1(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes esp-sha-hmac

And put everything together with a crypto map. Our peer is 192.168.23.3, the transform-set is called MYTRANSFORMSET and everything that matches access-list 100 should be encrypted by IPSEC:

R1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp 
R1(config-crypto-map)#set peer 192.168.23.3
R1(config-crypto-map)#set transform-set MYTRANSFORMSET
R1(config-crypto-map)#match address 100

The access-list matches all traffic between 1.1.1.1 and 3.3.3.3:

R1(config)#access-list 100 permit ip host 1.1.1.1 host 3.3.3.3

We need to make sure our router knows how to reach 192.168.23.3 and also tell it that it can reach 3.3.3.3 through 192.168.23.3:

R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 3.3.3.3 255.255.255.255 192.168.23.3

Last but not least, we’ll activate the crypto map on the interface:

R1(config)#interface gi0/1
R1(config-if)#crypto map CRYPTOMAP

That’s all we have to do on R1. Now we’ll create a similar configuration on R3:

Forum Replies

what is the configuration of R2?

Nothing has been configured on R2, just the IP addresses on its FastEthernet interfaces.

Rene …Not working for me. 1.1.1.1/32 and 3.3.3.3/32 are not reachable. i checked all configuration , almost same as above. But not working
**

R3#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: CRYPTOMAP, local addr 192.168.23.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
   current_peer 192.168.12.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts

... Continue reading in our forum

Hi Amit,

This show command only tells you that no packets are encrypted or decrypted. You need to check the following in order:

Is routing configured correctly?
Are your ACLs for the VPN configured correctly?
Are the crypto maps configured correctly?
Do you have a security association?

If those are all OK…do a debug for the security association to see what is wrong.

Don’t you need the tunnel ip address, so you can use that as next hop.

R1(config)#ex. ip route 3.3.3.3 255.255.255.255 192.168.13.3

best regards mpo

36 more replies! Ask a question or join the discussion by visiting our Community Forum

Configuration

We're Sorry, Full Content Access is for Members Only...

Forum Replies