Solved: VPN on c1100 series

kwojtyra · ‎07-03-2023

Hi,

I want to make first time a VPN to learn how to do it. I have main router wich have on one interface ip address 10.0.1.1 and 10.0.2.1 on the next one. That interfaces are connected to two other routers one with 10.0.1.10 and other with 10.0.2.10 that routers have also LAN interfaces with address 192.168.1.1 on the first and 192.168.2.1 on the other. I want to do it with encrypted comunnication.

Flavio Miranda · ‎07-04-2023

@kwojtyra

The basic config for IPSEC on routers it this below. You need to change the config accordingly for you routers. For example, considering you are going to simulate a HQ and two branches, this config is for HQ, as you can see 2 policy.

On the branch you dont need to have both, only one.e

!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp policy 11
encr aes 256
authentication pre-share
group 5
lifetime 3600
!

!
crypto isakmp key <you key here> address <remote a>
crypto isakmp key <you key here> address <remote b>
!
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set Brranch1 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set Brranch2 esp-aes 256 esp-sha-hmac
!
!
crypto map VPN 10 ipsec-isakmp
set peer <remote a>
set pfs group5
set security-association lifetime seconds 900
set transform-set Brranch1
match address 101
!
crypto map VPN 11 ipsec-isakmp
set peer <remote b>
set pfs group5
set security-association lifetime seconds 900
set transform-set Brranch2
match address 101
!

Apply to the interface

!
interface GigabitEthernetx/x
ip address x.x.x.x x.x.x.x
duplex auto
speed auto
crypto map VPN
!

View solution in original post

Flavio Miranda · ‎07-04-2023

Hi @kwojtyra

You are going to need license. Can you share the command show license?

kwojtyra · ‎07-04-2023

I have securityk9

Flavio Miranda · ‎07-04-2023

@kwojtyra

The basic config for IPSEC on routers it this below. You need to change the config accordingly for you routers. For example, considering you are going to simulate a HQ and two branches, this config is for HQ, as you can see 2 policy.

On the branch you dont need to have both, only one.e

!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp policy 11
encr aes 256
authentication pre-share
group 5
lifetime 3600
!

!
crypto isakmp key <you key here> address <remote a>
crypto isakmp key <you key here> address <remote b>
!
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set Brranch1 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set Brranch2 esp-aes 256 esp-sha-hmac
!
!
crypto map VPN 10 ipsec-isakmp
set peer <remote a>
set pfs group5
set security-association lifetime seconds 900
set transform-set Brranch1
match address 101
!
crypto map VPN 11 ipsec-isakmp
set peer <remote b>
set pfs group5
set security-association lifetime seconds 900
set transform-set Brranch2
match address 101
!

Apply to the interface

!
interface GigabitEthernetx/x
ip address x.x.x.x x.x.x.x
duplex auto
speed auto
crypto map VPN
!

kwojtyra · ‎07-04-2023

Ok, now I have it working. So VPN from one R1 to R2 is working, and that routers are connected to one main router. If I want to add another router and make it to communicate with the main I need to add another crypto map configuration to main router, and set that connection on added router? Am I right? I read that I can't add few crypto map at one interface?