Creating an Encrypted VPN Between the LAN Interfaces of Two Routers

Creating an Encrypted VPN Between the LAN Interfaces of Two Routers

Problem

You want to create an encrypted VPN through the Internet by connecting the LAN interfaces of two routers using pre-shared keys.

Solution

In this example, we show how to use IPSec in tunnel mode to encrypt traffic between the LAN interfaces of two routers. Here is the configuration of the first router:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encr aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth
Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)#exit
Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)#set peer 172.16.2.1
Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM
Router1(config-crypto-map)#match address 103
Router1(config-crypto-map)#exit
Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 192.168.16.1 255.255.255.0
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#ip access-group 101 in
Router1(config-if)#crypto map LAN2LANMAP
Router1(config-if)#exit
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 deny ip any any log
Router1(config)#end
Router1#

The configuration for the second router is similar:

Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encr aes 256
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1
Router2(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router2(config-crypto-map)#set peer 172.16.1.1
Router2(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM
Router2(config-crypto-map)#match address 103
Router2(config-crypto-map)#exit
Router2(config)#access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255

Router2(config)#interface FastEthernet0/1
Router2(config-if)#description Internal LAN
Router2(config-if)#ip address 192.168.15.1 255.255.255.0
Router2(config-if)#exit
Router2(config)#interface FastEthernet0/0
Router2(config-if)#description Connection to Internet
Router2(config-if)#ip address 172.16.2.1 255.255.255.0
Router2(config-if)#crypto map LAN2LANMAP
Router2(config-if)#exit
Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 deny ip any any log
Router2(config)#end
Router2#

Discussion

The net effect of Recipe 12.5 was to create a routable encrypted VPN link between two routers. Another common way of handling site-to-site VPNs is to take advantage of the native IPSec tunnel capability to create a bridged connection between the inside LAN interfaces of the two routers, which is what we do in this recipe.

Much of this example is nearly identical to the one shown in Recipe 12.3, so we will just focus on the differences. The first difference is in the definition of the transform-set:

Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)#exit

The key difference between this transform-set and the one in the previous recipe is to look at what's not there. In Recipe 12.3, our transform-set looked like this:

Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256 
Router1(cfg-crypto-trans)#mode transport
Router1(cfg-crypto-trans)#exit

In this recipe, we want to use IPSec tunnel mode instead of transport mode. We could include a mode tunnel command in our transform set definition, but since that's the default, we have left it out to get the same effect.

The next difference comes in the crypto map configuration, and is also subtle:

Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)#set peer 172.16.2.1
Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM
Router1(config-crypto-map)#match address 103
Router1(config-crypto-map)#exit
Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255

The principle difference here is that our access-list doesn't match GRE packets on the external Internet-facing interfaces of the routers. Instead it matches all IP packets on the internal LAN interfaces.

The remainders of the configurations are essentially the same as in the previous recipe. But the effect is very different. In this case, we wind up with two routers that bridge their internal LAN interfaces. Any packet matching access-list 103 will be automatically picked up and bridged to the other router. Conversely, in the previous recipe, traffic between the LAN segments at the two different sites was routed across the tunnel.

Note that this is not a fully functional Layer 2 bridge. In particular, it only passes IP traffic that happens to match the defined access-list. If you look at this access-list, you will see that it specifies different IP subnets for the source and destination addresses, which is not how you would normally construct a Layer 2 bridge. But the nice thing about doing this is that it automatically makes bridging loops impossible, which in turn means that we don't need to run Spanning Tree.

In general, we prefer to route rather than bridge. The biggest reason for this is that it allows us to run a routing protocol across the encrypted GRE tunnel. This in turn leads to several benefits:

  • The routing protocol Hello packets will ensure that the ISAKMP keys are always refreshed.

  • The ability to log neighbor changes makes it possible to track exactly when a VPN goes down and comes back up, which is highly useful in troubleshooting.

  • In cases when there are three or more sites interconnected by VPNs, you can configure a redundant partial mesh of VPNs for relaying packets between sites.

See Also