IPSEC Site to Site VPN Lab - Snowboundport37/champlain GitHub Wiki

IPSEC Site to Site VPN Lab

This document records every step used to build and verify the Champlain to Middlebury IPSEC VPN in Packet Tracer.

1 Topology Overview

Routers

  1. Champlain router

    1. Public network 216.93.144.0 255.255.255.0
    2. Private network 172.16.84.0 255.255.255.0

  2. Middlebury router

    1. Public network 140.230.18.0 255.255.255.0
    2. Private network 192.168.25.0 255.255.255.0

  3. VTEL ISP router in the middle linking the two public networks

Servers

  1. Champlain server 172.16.84.100
  2. Middlebury server 192.168.25.50

Private networks that must communicate through the VPN

  1. Champlain private 172.16.84.0 24
  2. Middlebury private 192.168.25.0 24

2 Champlain Router Configuration

Enter privileged and global configuration modes

enable
conf t

Configure interfaces

interface FastEthernet0/0
 ip address 216.93.144.1 255.255.255.0
 no shut

interface FastEthernet0/1
 ip address 172.16.84.1 255.255.255.0
 no shut

Default route toward VTEL

ip route 0.0.0.0 0.0.0.0 216.93.144.254

Define interesting traffic for the VPN

access-list 110 permit ip 172.16.84.0 0.0.0.255 192.168.25.0 0.0.0.255

Configure IKE Phase one

crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 group 5
exit

crypto isakmp key NET330 address 140.230.18.1

Configure IPSEC Phase two

crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac

crypto map VPNMAP 10 ipsec-isakmp
 set peer 140.230.18.1
 set transform-set VPNSET
 match address 110
exit

Apply crypto map to the outbound public interface

interface FastEthernet0/0
 crypto map VPNMAP

Save configuration

end
wr

3 Middlebury Router Configuration

Enter privileged and global configuration modes

enable
conf t

Configure interfaces

interface FastEthernet0/0
 ip address 140.230.18.1 255.255.255.0
 no shut

interface FastEthernet0/1
 ip address 192.168.25.1 255.255.255.0
 no shut

Default route toward VTEL

ip route 0.0.0.0 0.0.0.0 140.230.18.254

Define interesting traffic for the VPN reverse direction

access-list 110 permit ip 192.168.25.0 0.0.0.255 172.16.84.0 0.0.0.255

Configure IKE Phase one

crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 group 5
exit

crypto isakmp key NET330 address 216.93.144.1

Configure IPSEC Phase two

crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac

crypto map VPNMAP 10 ipsec-isakmp
 set peer 216.93.144.1
 set transform-set VPNSET
 match address 110
exit

Apply crypto map to the outbound public interface

interface FastEthernet0/0
 crypto map VPNMAP

Save configuration

end
wr

4 VTEL ISP Router Configuration

Enter privileged and global configuration modes

enable
conf t

Configure interfaces

interface FastEthernet0/0
 ip address 216.93.144.254 255.255.255.0
 no shut

interface FastEthernet0/1
 ip address 140.230.18.254 255.255.255.0
 no shut

Static routes for both private networks

ip route 172.16.84.0 255.255.255.0 216.93.144.1
ip route 192.168.25.0 255.255.255.0 140.230.18.1

Save configuration

end
wr

5 Server IP Configuration

Champlain server

IP address 172.16.84.100
Subnet mask 255.255.255.0
Default gateway 172.16.84.1

Middlebury server

IP address 192.168.25.50
Subnet mask 255.255.255.0
Default gateway 192.168.25.1

6 Connectivity Tests

6.1 Check public connectivity

From Champlain router

ping 140.230.18.1

From Middlebury router

ping 216.93.144.1

Both pings succeeded which confirms routing across VTEL.

6.2 Verify private connectivity through the VPN

From the Champlain server command prompt

ping 192.168.25.50

From the Middlebury server command prompt

ping 172.16.84.100

Both pings succeeded which shows that traffic between the two private networks is being carried across the tunnel.

7 VPN Verification Commands and Final Output

On each router the following commands were used

show crypto isakmp sa
show crypto ipsec sa

The important part of the final output on the Champlain router

champ-router#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: VPNMAP, local addr 216.93.144.1

    protected vrf: (none)
    local  ident (addr/mask/prot/port): (172.16.84.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.25.0/255.255.255.0/0/0)
    current_peer 140.230.18.1 port 500
      PERMIT, flags={origin_is_acl,}

    #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

inbound esp sas:
     spi: 0x43D45D410 (1137988624)

A similar output appears on the Middlebury router with matching local and remote identities and nonzero encrypted and decrypted packet counters.

This confirms

  1. The IPSEC security associations are present in both directions
  2. The interesting traffic between 172.16.84.0 24 and 192.168.25.0 24 is protected
  3. Packets are being encapsulated and decapsulated correctly across the VPN

Screenshots of show crypto ipsec sa on both routers were captured as the required lab deliverables.