Creating an Encrypted VPN Between the LAN Interfaces of Two Routers
Problem
You want to create an encrypted VPN through the Internet by connecting the LAN interfaces of two routers using pre-shared keys.
Solution
In this example, we show how to use IPSec in tunnel mode to encrypt traffic between the LAN interfaces of two routers. Here is the configuration of the first router:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#crypto isakmp policy 10 Router1(config-isakmp)#encr aes 256 Router1(config-isakmp)#authentication pre-share Router1(config-isakmp)#group 2 Router1(config-isakmp)#exit Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256 Router1(cfg-crypto-trans)#exit Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1 Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router1(config-crypto-map)#set peer 172.16.2.1 Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM Router1(config-crypto-map)#match address 103 Router1(config-crypto-map)#exit Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255 Router1(config)#interface FastEthernet0/1 Router1(config-if)#ip address 192.168.16.1 255.255.255.0 Router1(config-if)#exit Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip address 172.16.1.1 255.255.255.0 Router1(config-if)#ip access-group 101 in Router1(config-if)#crypto map LAN2LANMAP Router1(config-if)#exit Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2 Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 deny ip any any log Router1(config)#end Router1#
The configuration for the second router is similar:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#crypto isakmp policy 10 Router2(config-isakmp)#encr aes 256 Router2(config-isakmp)#authentication pre-share Router2(config-isakmp)#group 2 Router2(config-isakmp)#exit Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1 Router2(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256 Router2(cfg-crypto-trans)#exit Router2(config)#crypto map LAN2LANMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router2(config-crypto-map)#set peer 172.16.1.1 Router2(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM Router2(config-crypto-map)#match address 103 Router2(config-crypto-map)#exit Router2(config)#access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255 Router2(config)#interface FastEthernet0/1 Router2(config-if)#description Internal LAN Router2(config-if)#ip address 192.168.15.1 255.255.255.0 Router2(config-if)#exit Router2(config)#interface FastEthernet0/0 Router2(config-if)#description Connection to Internet Router2(config-if)#ip address 172.16.2.1 255.255.255.0 Router2(config-if)#crypto map LAN2LANMAP Router2(config-if)#exit Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2 Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1 Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1 Router2(config)#access-list 101 deny ip any any log Router2(config)#end Router2#
Discussion
The net effect of Recipe 12.5 was to create a routable encrypted VPN link between two routers. Another common way of handling site-to-site VPNs is to take advantage of the native IPSec tunnel capability to create a bridged connection between the inside LAN interfaces of the two routers, which is what we do in this recipe.
Much of this example is nearly identical to the one shown in Recipe 12.3, so we will just focus on the differences. The first difference is in the definition of the transform-set:
Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256 Router1(cfg-crypto-trans)#exit
The key difference between this transform-set and the one in the previous recipe is to look at what's not there. In Recipe 12.3, our transform-set looked like this:
Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256 Router1(cfg-crypto-trans)#mode transport Router1(cfg-crypto-trans)#exit
In this recipe, we want to use IPSec tunnel mode instead of transport mode. We could include a mode tunnel command in our transform set definition, but since that's the default, we have left it out to get the same effect.
The next difference comes in the crypto map configuration, and is also subtle:
Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router1(config-crypto-map)#set peer 172.16.2.1 Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM Router1(config-crypto-map)#match address 103 Router1(config-crypto-map)#exit Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
The principle difference here is that our access-list doesn't match GRE packets on the external Internet-facing interfaces of the routers. Instead it matches all IP packets on the internal LAN interfaces.
The remainders of the configurations are essentially the same as in the previous recipe. But the effect is very different. In this case, we wind up with two routers that bridge their internal LAN interfaces. Any packet matching access-list 103 will be automatically picked up and bridged to the other router. Conversely, in the previous recipe, traffic between the LAN segments at the two different sites was routed across the tunnel.
Note that this is not a fully functional Layer 2 bridge. In particular, it only passes IP traffic that happens to match the defined access-list. If you look at this access-list, you will see that it specifies different IP subnets for the source and destination addresses, which is not how you would normally construct a Layer 2 bridge. But the nice thing about doing this is that it automatically makes bridging loops impossible, which in turn means that we don't need to run Spanning Tree.
In general, we prefer to route rather than bridge. The biggest reason for this is that it allows us to run a routing protocol across the encrypted GRE tunnel. This in turn leads to several benefits:
- The routing protocol Hello packets will ensure that the ISAKMP keys are always refreshed.
- The ability to log neighbor changes makes it possible to track exactly when a VPN goes down and comes back up, which is highly useful in troubleshooting.
- In cases when there are three or more sites interconnected by VPNs, you can configure a redundant partial mesh of VPNs for relaying packets between sites.
See Also
Recipe 12.3