How to Setup a Cisco Router VPN (Site-to-Site): Cisco Router Training 101

hello and welcome to cisco router training 101 my call is Don Crawley I’m from music education net where the Seattle washington-based provider of intensified training for IT professionals this time we’re configuring a site-to-site VPN between a pair of cisco routers it’s based on chapter 12 in my bible The Accidental administrator cisco router step-by-step configuration guide it’s available in both paperback and Kindle publications from Amazon and through other directs if you’d like to pick up a mimic I’d charity it but please don’t feel obligated you can certainly follow along without the book the video is based on Cisco IOS version 12.4 the likenes that we’re expending on a duo of 871 routers is the advanced IP assistances boast rectified and the reason we’re doing that is because you have to have IPSec in order to set up a VPN tunnel as we’ll go over again in a few moments now what is a site-to-site VPN oftentimes if we think about a VPN we think about a remote access VPN which would be used by travelling workers say logging in there on the road maybe they’re in Milwaukee and your home office is in Minneapolis and so they would log in to the VPN from the remote department in Milwaukee connecting to the main office in Minneapolis but that’s not what we’re talking about here what we’re talking about here is a site-to-site VPN so suppose you have an office in Seattle and another one in Kansas City and traditionally what you would have done in the past is you would have loaned some kind of a service maybe a t1 course moving it one and a half megabits per second and costing you a good deal of fund between the two municipalities well with the advent of the public Internet we’re able to take advantage of the public Internet infrastructure and connect through the shadow working an encrypted tunnel and that’s the key with a VPN is it applies encryption to the tunnel thus making a communication private and it expenditure a whole lot little than liberating a line and frankly probably get a lot more bandwidth I hope you get a lot more bandwidth than one and a half megabits per second this is the diagram that we’re going to be using for the show and you can download a imitation of this diagram along with all of the others from the book The Accidental administrator Cisco router step-by-step configuration guide from the books website it’s free you don’t even have to write you can just go there and there’s a tie where you can download it in PDF format and the URL is w WM training net slash cisco router book and that’s where you can download this diagram along with others and I’m going to be working doing the rally on computer zero one and I’ve already come router two configured so certainly it’s just such matters of me sitting down and configuring router one and if I do everything right we should be able to have communication but between the two computers prerequisites in order to be allowed to to do this exercise you’ll need the following unrestricted privilege procedure access to a duo of cisco routers apparently you can’t have a VPN unless you have a pair of routers and the rig software requirements to Cisco routers I use Cisco model 871 so you can use pretty much any router in the Cisco line except you’re not going to be able to do this with the consumer grade the Linksys cisco routers that won’t work this is for commercial score routers you’ll also need a Cisco ios version that supports IPSec as I mentioned I’m using a duet of 870 ones that have the advanced IP assistances peculiarity designated but the main thing is just to make sure that your your iOS version reinforcements IPSec you’ll need a couple of computers a console cable and terminal emulation software of course if you’re working with routers the one that I’m exerting is putty here’s the disclaimer this videos equipped exclusively as a courtesy to you our viewer no guarantees whatsoever please do not attempt these procedures on a creation router without first testing them for security and suitability in a lab environment you do have one don’t you the procedures shown in this video will modify your routers existing configuration so ensure you perfectly backed up your routers config and software idols before beginning these procedures and performing these procedures may open your router to the public Internet and subject your network to attack so make sure you have current backups and take precautions including data encryption and additional access commands to protect sensitive data that’s just a generally good rehearse whether you’re watching this video or anything else here’s a summing-up of the steps you know if you look at the configuration steps for setting up a VPN in a lot of the documentation out there it looks pretty intimidating and I understand that but the reality is that there’s four paces phase one is the key exchange this is AIESEC camp internet security association key management protocol this is the handshake where the two routers agree on how they’re going to communicate then phase two is setting up the IPSec tunnel then we apply the crypto planned to the outside interface that’s where we identify our peers and and the passageway groups and so on and then we create an access control is to identify the traffic flows the access controller schedules are always inside to inside so that is my land to the other routers land inside the inside for the access controller indices outside to outside for the peers all right let’s go ahead and do the demo and we’ll start a continuous ping – computer – now remember I’m on computer one and router one and so our marriage is router two and computer two so we’re going to start a continuous ping – computer – which is at 192.168.1 o 2.2 and we’ll position a – t switch on it to make it a continuous ping and you’ll encounter there we’re getting a destination emcee unreachable or you might get a no reply message but something’s saying that it’s not successful we’ll leave that on in the background and then we’ll switch over to putty so we can serve the configuration on the router and again I’m going to leave the PowerShell window open behind putty so that you’ll be able to see the rod when it’s successful when we finish the configuration so let’s go ahead and get started we’ll go into a global configuration procedure config T and then we’re going to invoke cryptographic business with a dictation crypto and since we’re doing its second phase that’s I so tent is a KMP internet security association key management protocol policy this is a grouping of our time 1 configuration constants and we just have to identify it so we’ll call it programme 10 and now what is the hash algorithm that we’re going to use we’re going to use secure hash algorithm so we’ll type hash sha we could use md5 but Shahs a little more robust and that’s pretty much what everybody’s using now and now how are we going to authenticate well we’ll apply a pre-shared key so let’s type authentication pre share and now we need to identify our key itself so we’ll type crypto AIESEC imp key is VPN key and this is just a text fibre but it has to match on both ends of the connection then address we’re going to identify our peer the other end of the connection elv and now we’re done with the phase one portion of the configuration let’s move on to Phase two and that’s setting up the encrypted tunnel so formerly the handshake is successful then it moves on to Phase two which is creating the encrypted tunnel so this is the IPSec portion so here we go with IPSec once again using the crypto dictation to invoke cryptographic services now we’re going to say crypto IPSec transform set we have to give it a refer we’ll call it VPN set again you could call it billy-bob doesn’t matter as long as you are consistent with this and we’ll say ESP – a EES that is the encapsulating security payload and AES is the advanced encryption standard you could use Triple DES but most people have moved to a EES now it’s considered a little more robust and a little faster too so we’ll do a EES then ESP surprises we’re going to identify our hashing algorithm now with the hashing message authentication code and that sets up our alter deep-seated again think of the alter positioned as being – IPSec what the isoquant policy is – AIESEC in now let’s set up our crypto maps we’ll type departure and do crypto map VPN set ten IPSec ISO camp and you’ll notice that it jettisons off an error it’s just saying hey you’re not done with the configuration more yeah I know that we’ll do that in a moment do they the access switch index and we’ll identify up here in just a moment so we’ve got that done now let’s go ahead and tell it what change set to use will say list change placed all you have to type privilege it’s supposed to know what I entail but doesn’t relatively cultivate that room so only positioned convert set to VPN set now accord address 100 this is simply saying – to match the addresses identified in the access list 100 which I haven’t configured more I’m going to do that in a moment and that will identify the inside the inside traffic flow as you’ll see as we go through it now we’ve got a set up now so mounted peer this is again the other routers outside boundary elv now if you think about it it prepares smell because it wouldn’t know about the other routers inside interface it would only know about the other routers outside interface so we’ll go ahead and apply that and now we need to apply the crypto planned to an boundary so what interface do you believe we would work with well it’s going to be the outside because again that’s where the passage exists between the two outside boundaries so interface f4 and we’ll apply the crypto delineate with crypto delineate VP and set so that applies the crypto planned to the interface we’re still not done we have to configure an access self-control list and defined the default route and then we’ll be is doing so let’s go ahead and gave the access roster so access directory 100 let IP traffic to flow from our inside network to the other routers inside Network so remember access directories are inside to inside so here we go with 192.168.1 o 1.0 for the 24 -bit cover-up applying the wild-card bits or the inverse subnet concealment of 0 0 0 255 if that is foreign to you if you’re not familiar with it that’s how we do access directories on a router and really all it’s saying is that the first 24 bits of the relating to the 192.168.1 o1 are what we want to match and so the 0.00 represents 24 zeros the 255 represents 8 ones at the end so it’s just the opposite of doing it with a traditional concealment now the other routers inside interface or inside system and again that goofy-looking inverse mask of 0.0025 5 will reach register and apply it and we’re still not done we have one more stair to go and that is to create our default direction let me do the dictation do present IP route and you can see that the Gateway of last resort has not been set in other words that is what cisco calls a default route so we need to set that and we’ll do that with the IP route command for the address and for the mask and what this is saying is when you receive a packet that you don’t know what else to do with then communicate it to the address that you specify in the Gateway of last resort and we’re going to set for that gateway honestly you don’t usage it in the configuration so as far as I “re going to tell” any address will work but we’ll go ahead and make it the actual one so we’ll go ahead and affected register and now in just a moment you should witness the ping coming back from router from computer 2 and look at that there it is it is coming back now you may identify a little bit of latency first when it’s set up but eventually it should be a jolly consistent ping here’s a checklist of troubleshooting items for VPN acquaintances and you know it’s a lot of the stuff that you’d expect check all your cables and connectors validate your IP address so just audit your configurations including router outside and inside boundaries plus the addresses on each of the computers extremely if you’re using dynamically named domiciles sometimes they vary for whatever reason check your default gateways rest assured that merely one system attachment is in abled on each PC so that you don’t are at high risk of the packets go a different interface in which you expect confirm that the access hold inventory is configured to allow traffic to spurt from regional inside network to the remote inside system member it’s inside the inside has confirmed that each routers peer is configured as the remote routers outside boundary member peers are outside to outside confirm that the same keys and etiquettes are in use on each expiration of the connection the two router configurations should reflect one another except obviously for your IP homes so just examination up and make sure that you’re using AES on both ceases or md5 or Triple DES or whatever it is that you’re using the same the same hashing algorithms and in encryption technologies on both sides and has demonstrated that the ISO Kempe security Association is there you can use the command show crypto aiesec amp SA to check that if it doesn’t then if it’s not there then your IPSec connection cannot be made either let me go back into putty and we’ll show you that command so here’s the word we’ll do do show crypto aiesec gremlin SA and there you can see it’s showing from the destination of elv or to the destination elv from the source at levan so there’s a handshake in place and if that’s not there if you don’t see that then you’re not going to have any other tie no no other side of the VPN will work if you’d like more information you can visit our website at this a week but often I try to get at least one a week on and that’s on our video channel of WWII unit slash videos and if you’d like a photocopy of the comrade volume for the video it’s available at our bookstore at resonate practice dotnet gash bookstore both Kindle and paperback copies well I hope it’s been helpful for you thanks for watching for sound training dotnet I’m Don Crowley see you next time

You May Also Like