Site2Site IPSec VPN Tunnel with Cisco EasyVPN

In Germany some internetprovider doesn’t offer a static WAN IP address. So the easiest way to connect a branch office router via IPsec VPN protocol to the central network address is using a Cisco EasyVPN connection with network-extension mode. In this example we have two networks:

The IP subnet of our mainoffice is 192.168.1.0 /24 and our branch office has the subnet 192.168.2.0 /24 (yes, I want to keep it simple ^^). The first usable IP address is assigned to the Cisco router. The configuration of the mainoffice router is as simple as providing Cisco VPN client access to roadwarriors:

RouterA

Basic configuration for authentication

aaa new-model
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization network groupauth local
!
username RouterB_xauthuser password G3ntl3m@n

This will be our IPsec configuration

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map DynamicPeers 10
set transform-set ESP-AES-SHA
!
!
crypto map CompanyVPN client authentication list userauth
crypto map CompanyVPN isakmp authorization list groupauth
crypto map CompanyVPN client configuration address respond
crypto map CompanyVPN 200 ipsec-isakmp dynamic DynamicPeers

Now we have to bind the crypto map to our outside interface. In this example we are also using X-Auth user authentication within the VPN tunnel. We are using dialer-interfaces on both sites but you can also configure the crypto map on any other outside interface

interface Dialer1
crypto map CompanyVPN

At this point you will see that the crypto service is coming up and the router is now reachable for VPN from the internet. If you have configured an access-list, don’t forget to allow the IPsec ports:

ip access-list extended wan_in
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp

interface Dialer1
ip access-group wan_in in

Now we will configure an EasyVPN group for our branch office

crypto isakmp client configuration group OfficeB
key myS3cr3t
acl vpn_traffic
save-password
!
ip access-list extended vpn_traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

The configuration at the mainoffice is done. Now let’s go to the branch office router

RouterB

Basic IPsec VPN configuration

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

Than we will configure “ezvpn” with the parameters we choose at the RouterB configuration

crypto ipsec client ezvpn VPNtoMAINOFFICE
connect auto
group OfficeB key myS3cr3t
mode network-extension
peer 80.60.50.40
acl vpn_traffic
username RouterB_xauthuser password G3ntl3m@n
xauth userid mode local
!
ip access-list extended vpn_traffic
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

The last thing we need to do is do bind this ezvpn-group to our inside and outside interface:

interface Vlan1
crypto ipsec client ezvpn VPNtoMAINOFFICE inside
!
interface Dialer1
crypto ipsec client ezvpn VPNtoMAINOFFICE

after this you will see the ISAKMP service and the vpn tunnel is coming:

Apr 20 07:44:20.755: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Apr 20 07:44:23.283: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= RouterB_xauthuser Group=OfficeB Client_public_addr=40.50.60.70 Server_public_addr=80.60.50.40 NEM_Remote_Subnets=192.168.2.0/255.255.255.0 end

You can test the connection by sending a ping packet to the remote router

ping 192.168.1.1 source 192.168.2.1
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/89/92 ms

You can also check the IPsec parameters:

RouterA#show crypto ipsec sa

interface: Dialer1
Crypto map tag: CompanyMap, local addr 80.60.50.40

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 40.50.60.70 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 80.60.50.40, remote crypto endpt.: 40.50.60.70
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x6BBD6C57(1807576151)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xC9F0F07D(3388010621)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: Onboard VPN:9, sibling_flags 80000046, crypto map: CompanyMap
sa timing: remaining key lifetime (k/sec): (4582408/3555)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6BBD6C57(1807576151)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: Onboard VPN:10, sibling_flags 80000046, crypto map: CompanyMap
sa timing: remaining key lifetime (k/sec): (4582408/3555)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

So we have build a site2site VPN tunnel with two routers while one of them only connects to the other router in case that there is only a ISP access with a dynamic wan IP address. You can also built an EIGRP configuration within a GRE Tunnel. I will show this with another post.

I hope I could help some people with this configuration example!
Have a great weekend!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.