Let’s start by discussing some of the functions used in a VPN connection:
1) Encryption algorithms used for encrypting the data:
2) Data integrity algorithms:
- Pre-Shared Key – both ends are configured with the same secret key
- RSA Signature – uses certificates for authentication between the two peers
4) Diffie Hellman is an algorithm that enable the two peers to generate the same secret key, key that can be used by an encryption algorithm like AES.
The establishment of the IPSec VPN takes place in two steps:
1) IKE Phase 1 – IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase 2. A Security Association (SA) is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the connection. The framework for establishing security associations is provided by the Internet Security Association and Key Management Protocol (ISAKMP).
2) IKE Phase 2 – The purpose of IKE phase 2 is to negotiate IPSec SAs to set up the IPSec tunnel.
The last important thing to keep in mind is that IPSec is an encapsulation that provides encryption, but it’s not actually a tunnel, you will need a tunneling protocol like GRE for that. IMPORTANT: If you want your routing information (OSPF, Eigrp, etc.) to propagate over the VPN tunnel to another site you will need to use GRE.
IPSec VPN Configuration
R1(config)#crypto isakmp policy 10
R1(config-isakmp)# lifetime 86400
R1(config)#crypto isakmp key cisco address 188.8.131.52
ACL for VPN traffic //one for each map sequence number
R1(config)# ip access-list extended 100
R1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config)#crypto ipsec transform-set TRANSFORM esp-3des //transformation set specifies how data will be exchanged
R1(config)#crypto map MAP 1 ipsec-isakmp //use the sequence number after MAP to create multiple VPN tunnels
R1(config-crypto-map)#set peer 184.108.40.206 //multiple peers can be specified
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set transformation-set TRANSFORM
R1(config-crypto-map)#match address 100
Apply MAP to interface
R1(config-if)#crypto map MAP
In case you are using both NAT and IPSec on the same interface you need to configure an ACL.
R1(config)# ip nat inside source list 101 interface fa0/0 overload
R1(config)# access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 any
R1(config)#interface tunnel 0
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#tunnel source fa0/0 //interface to remote site
R1(config-if)#tunnel destination 220.127.116.11 //physical interface ip address of remote site
R1(config-if)#tunnel mode gre ip //tunnel type
The configuration must be identical on the second router. I don’t recommand using 3DES, i used it in this example to show that there are 2 encryptions taking place (AES and 3DES), one for each IKE Phase.
You can also check out these 3 posts about IPSec VPNs: