Configuring Cisco Site to Site IPSec VPN with Dynamic IP Endpoint Cisco Routers

Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router

Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router
To initiate the VPN Tunnel, we need to force one packet to traverse the VPN and this can be achieved by pinging from one router to another:. The first ping received a timeout, but the rest received a reply, as expected. Although there is only one peer declared in this crypto map 1. Deal with bandwidth spikes Free Download. R2 show crypto session Crypto session current status. Remote Site 1 Router. Web Vulnerability Scanner Free Download.

Post navigation

Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers

First we create a crypto map named VPN which will be applied to the public interface of our headquarter router, and connect it with the dynamic crypto maps we named as hq-vpn. The ipsec-isakmp tag tells the router that this crypto map is an IPsec crypto map. Now we create our two dynamic crypto maps using the following configuration commands:.

Notice how we create one dynamic map for each remote network. Adding additional remote sites in the future is as easy as simply adding more dynamic crypto maps, incrementing the index number and specifying the match address extended access-lists for each remote network. At this point, we have completed the IPSec VPN configuration on our headquarter router and we can move to the remote endpoint routers. Our remote routers connect to the Internet and are assigned a dynamic IP address which changes periodically by the ISP.

In most part, the configuration is similar to that of the headquarter router, but with a few minor changes. In the configuration below, IP address Remote Site 1 Router. This is easily done by inserting a deny statement at the beginning of the NAT access lists as shown below:. To initiate the VPN Tunnel, we need to force one packet to traverse the VPN and this can be achieved by pinging from one router to another.

There is however one caveat that was mentioned in the beginning of this article: The reason for this is simple and logical. Packet sent with a source address of The time required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first ping to timeout. To verify the VPN Tunnel, use the show crypto session command:.

Again, the first ping received a timeout, but the rest received a reply, as expected. Issuing the show crypto session command at the headquarter router will reveal all remote routers public IP addresses. This is usually a good shortcut when trying to figure out the public IP address of your remote routers. Back to Cisco Routers Section. Deal with bandwidth spikes Free Download. Network Analyzer Free Download. This means that if we have five different remote sites and configured five different ISAKMP Phase 1 policies one for each remote router , when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.

Next we are going to define a pre shared key for authentication with our peer R2 router by using the following command:. Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel. In this example, it would be traffic from one network to the other, Access-lists that define VPN traffic are sometimes called crypto access-list or interesting traffic access-list.

Next step is to create the transform set used to protect our data. The ipsec-isakmp tag tells the router that this crypto map is an IPsec crypto map. Although there is only one peer declared in this crypto map 1. The final step is to apply the crypto map to the outgoing interface of the router.

We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being the peer IP Addresses and access lists:. This is easily done by inserting a deny statement at the beginning of the NAT access lists as shown below:. To initiate the VPN Tunnel, we need to force one packet to traverse the VPN and this can be achieved by pinging from one router to another:.

The first ping received a timeout, but the rest received a reply, as expected. The time required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first ping to timeout. Back to Cisco Routers Section. Deal with bandwidth spikes Free Download. Network Analyzer Free Download.

Web Vulnerability Scanner Free Download.


Leave a Reply

This configuration shows a LAN-to-LAN configuration between two routers in a hub-spoke environment. Cisco VPN Clients also connect to the hub and use Extended Authentication (Xauth). This article shows how to configure, setup and verify site-to-site Crypto IPSec VPN tunnel between Cisco routers. Understand IPSec VPNs, including ISAKMP Phase, parameters, Transform sets, data encryption, crypto IPSec map, check VPN Tunnel crypto status and much more. Full set of commands and diagrams included. This document provides a sample configuration for the LAN-to-LAN (Site-to-Site) IPsec tunnel between Cisco Security Appliances (ASA/PIX) and a Cisco IOS Router.