Cisco Site-to-Site VPN using Tunnel Interfaces

  1. Well its time for me to sit my Cisco security exams again. My CCSP was superseded by the CCNP-Security so I’m on the case to regain past glory(!?). Anyway, the script is that you need the CCNA Security too which I’ll come back to, but for now I’m into the SECURE or 642-637 exam preparation. Quite a lot has changed since I sat the equivalent in 2005, one thing of note is the new VPN method of using Tunnel interfaces instead of crypto-maps and to be honest it looks fantastic! Here’s my test in the lab, and I also got a copy of ‘Omnigraffle Pro’ which makes nice Visio type drawings…


The plan is to ping from 1.1.1.1 to 1.1.1.2 across the VPN. I’ve set the interfaces up already and will show the test ping, in case there is any doubt..

R2#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
Async1                     unassigned      YES unset  down                  down
FastEthernet0              10.0.0.2        YES manual up                    up
clipped
Loopback0                  1.1.1.2         YES manual up                    up
Vlan1                      unassigned      YES unset  up                    down    

R1#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
Async1                     unassigned      YES unset  down                  down
FastEthernet0              10.0.0.1        YES manual up                    up
clipped
Loopback0                  1.1.1.1         YES manual up                    up
Vlan1                      unassigned      YES unset  up                    down    

R1#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Now its time to configure some crypto stuff. I’ll be working through the list below:

  1. Create a transform set for IKE phase2
  2. Create an IPSec profile
  3. Create an IKE policy
  4. Create an IKE key
  5. Create the tunnel interface
  6. Create the static route

Step 1.

R1(config)#crypto ipsec transform-set TEST-SET esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#exit

Step 2.

R1(config)#crypto ipsec profile TEST-PROFILE
R1(ipsec-profile)#set transform-set TEST-SET
R1(ipsec-profile)#exit

Step 3.

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 14
R1(config-isakmp)#hash sha
R1(config-isakmp)#exit

Step 4.

crypto isakmp key sup3rs3cr3t address 10.0.0.2

Step 5.

R1(config)#int tunnel0
R1(config-if)#ip unnumbered fa0
R1(config-if)#tunnel source fa0
R1(config-if)#tunnel destination 10.0.0.2
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile TEST-PROFILE
R1(config-if)#no shut

Step 6.

ip route 1.1.1.2 255.255.255.255 tunnel0

Ok, now I will create a mirror configuration on R2. The relevant bits are clipped from the running config. Note that default values are not included in the running config:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 14
crypto isakmp key sup3rs3cr3t address 10.0.0.2
!
crypto ipsec transform-set TEST-SET esp-aes esp-sha-hmac
!
crypto ipsec profile TEST-PROFILE
 set transform-set TEST-SET
!
interface Tunnel0
 ip unnumbered FastEthernet0
 tunnel source FastEthernet0
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.2
 tunnel protection ipsec profile TEST-PROFILE
!
ip route 1.1.1.2 255.255.255.255 Tunnel0

The tunnel will come up without the VPN passing traffic which is new, we can see the active ‘tunnel with the old fashioned command:

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.0.0.1        10.0.0.2        QM_IDLE           2001 ACTIVE

IPv6 Crypto ISAKMP SA

Staus is active and State is QM_IDLE which is good. Here’s the ping test…

R1# ping 1.1.1.2 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/24 ms

I used a lot of pings to check the encamp/decap totals on the command:

R1#sh crypto ipsec sa      

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 10.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 10.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 105, #pkts encrypt: 105, #pkts digest: 105
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0xB7D9DD26(3084508454)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x2DF2C04A(770883658)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4593846/2996)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB7D9DD26(3084508454)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4593829/2996)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

You can see the icmp packet are being ‘encapsulated’ with IPSec – so all round success!

This entry was posted in Cisco and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *