Site-to-Site VPN with Virtual Tunnel Interfaces
Hey,
There are many ways to create Site-to-Site VPNs. One method that I like uses Virtual Tunnel Interfaces with optional IPSec encryption.
This method allows you to create a virtual interface and you are able to see if the tunnel is up/down.
I will be using IPSec in this example, and I assume both sites have Static IP addresses.
This example pretty much has 5 things involved: isakmp policy, isakmp key, transform set, and the actual tunnel interface, and of course a static route pushing other-site traffic across it.
First, define your ISAKMP Key to identify each side:
RouterA(config)# crypto isakmp key P455word address B.B.B.B
Next, define your ISAKMP policy:
RouterA(config)# crypto isakmp policy 1
RouterA(config-isakmp)# encr 3des
RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# group 2
Then define your IPSec Transform Set:
RouterA(config)# crypto ipsec transform-set ipsecTransformSet ah-sha-mac esp-3des
Now we are ready to define our Tunnel Interface:
RouterA(config)# interface Tunnel1
RouterA(config-if)# description *** Tunnel to RouterB ***
RouterA(config-if)# ip unnumbered Vlan1
RouterA(config-if)# keepalive 10 3
RouterA(config-if)# tunnel source A.A.A.A
RouterA(config-if)# tunnel destination B.B.B.B
RouterA(config-if)# tunnel mode ipsec ipv4
RouterA(config-if)# tunnel protection ipsec profile ipsecProfile
I personally like to limit the number of IP addresses I need to worry about, hence the use of ip unnumbered Vlan1. Other configurations include a different subnet (most likely a /30) to identify each side of the tunnel. This means you can ping the other side of the Tunnel if you wish.
Now we can identify our static route:
RouterA(config)#ip route 192.168.0.0 255.255.255.0 Tunnel1 permanent
I add the permanent option here so that in the event the Tunnel is down, it does not go across the default route, usually a Dialer which goes out the internet.
If you are having trouble getting your Tunnel up, make sure you are not denying any IPSec or GRE traffic on your WAN connection and that you have the correct isakmp keys and addresses defined on both routers.
You may like to debug crypto isakmp and crypto ipsec to see what's going on.
You can temporarily leave your tunnel unsecure by removing:
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecProfile
The RouterB configuration will be the same except for the isakmp key (at address A.A.A.A) and the Tunnel interface source and destinations switched around.
Hope that helps,
anon ms.
Disclaimer: I don't know enough Cisco to answer all the questions regarding IPSec and Virtual Tunnel Interfaces. For all intents and purposes, I have no idea what I'm doing!
Leave a comment