back to basics: ipsec vpn

by Leave a Comment

First we’ll discuss a basic ipsec tunnel between two ISRs:

RTR-A
Define IKE Phase 1 Policy (ISAKMP)
crytpo isakmp policy 10
encryption aes 256
authentication pre-share
hash sha
group 2

Define pre-shared key
crypto isakmp key pr3sh4r3dk3y address 22.2.1.1 no-xauth

Define IKE Phase 2 Policy (IPSEC)
crypto ipsec transform-set aes-sha esp-aes 256 esp-sha-hmac

Create ACL to match interesting traffic
access-list 150 permit ip host 192.168.1.1 host 192.168.2.1

Create Crypto Map
crypto map vpn-a-to-b 10 ipsec-isakmp
set peer 22.2.1.1
set transform-set aes-sha
match address 150

Apply Crypto Map to Interface
interface Gi0/0
crypto map vpn-a-to-b

Create a route
ip route 192.168.2.1 255.255.255.255 Gi0/0

RTR-B
Define IKE Phase 1 Policy (ISAKMP)
crytpo isakmp policy 10
encryption aes 256
authentication pre-share
hash sha
group 2

Define pre-shared key
crypto isakmp key pr3sh4r3dk3y address 22.1.1.1 no-xauth

Define IKE Phase 2 Policy (IPSEC)
crypto ipsec transform-set aes-sha esp-aes 256 esp-sha-hmac

Create ACL to match interesting traffic
access-list 150 permit ip host 192.168.2.1 host 192.168.1.1

Create Crypto Map
crypto map vpn-b-to-a 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set aes-sha
match address 150

Apply Crypto Map to Interface
interface Gi0/0
crypto map vpn-b-to-a

Create a route
ip route 192.168.1.1 255.255.255.255 Gi0/0

Now the more likely scenario –

two hosts need to talk to the same company and the ips overlap

We’ll use the same instructions, but making some adjustments to RTR-B

Create ACL to match interesting traffic (using natted address this time)
access-list 150 permit ip host 192.168.11.1 host 192.168.2.1

Create route-map
route-map B-to-C permit 10
match ip address B-to-C-ACL

Create ACL to match traffic in the scenario
ip access-list extended B-to-C-ACL
permit ip host 192.168.1.1 host 192.168.2.1

Create NAT statement and apply to interfaces
ip nat inside source static 192.168.1.1 192.168.11.1 route-map B-to-C-ACL extendable

int Gi0/1
description inside
ip nat inside

int Gi0/0
description outside
ip nat outside

 This can be done a little simpler with an ASA using a static policy nat

access-list policy-nat extended permit ip host 192.168.1.1 host 192.168.2.1
static (inside,outside) 192.168.11.1  access-list policy-nat

Posted in: security

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Post Navigation