Here is simple steps of configuring Cisco IPSec Site-to-Site VPN.
Part1 – ISAKMP(Internet Security Association Key Management System) : To establish tunnel / secure path
Part 2 – IPSec : Actual data encryption
1. Configuring IKE / ISAKMP
Router# conf t
Router(config)# crypto isakmp policy 1 ;
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# encryption aes 256
Router(config-isakmp)# group 2
Router(config-isakmp)# hash md5
Router(config)# crypto isakmp key [ xxxxx ] address x.x.x.x no-xauth ; x.x.x.x – destination IP.
Router(config)# crypto isakmp keepalive 60 60
2. Creating Crypto Access Lists
Router(config)# ip access-list extended [xxx]
Router(config-ext-nacl)# permit [Source IP block] [Wildcard] [Destination IP block] [Wildcard]
ex)
Router(config)# access-list 101 remark VPN to HQ Rule
Router(config)# access-list 101 permit ip 10.10.1.0 0.0.0.255 192.168.0.0 0.0.255.255
3. Defining a Transform Set
Router(config)# crypto ipsec transform-set [xxx]
Router(config)# mode [tunnel | transport]
ex)
Router(config)# crypto ipsec transform-set FIPS-140-2 esp-aes 256 esp-sha-hmac
Router(config)# mode tunnel
4. Creating Crypto Maps
Router(config)# crypto map [map-name] [seq-num] ipsec-isakmp
Router(config-crypto-map)# match address access-list-id
Router(config-crypto-map)# set peer [hostname | ip-address]
Router(config-crypto-map)# set transform-set [transform-set-name]
ex)
Router(config)# crypto map VPN2HQ 1 ipsec-isakmp
Router(config)# description Tunnel to HQ
Router(config)# set peer x.x.x.x ; Destination IP
Router(config)# set transform-set FIPS-140-2
Router(config)# match address 101
Router(config)# qos pre-classify
5.Applying Crypto Maps to Interfaces
Router(config)# interface fa0/0
Router(config-if)# crypto map [map-name]
ex)
Router(config-if)# crypto map VPN2HQ
6. Verifying
clear crypto sa
clear crypto sa peer [ip-address | peer-name]
clear crypto sa map [map-name]
show crypto isakmp sa
show crypto isakmp sa nat
show crypto ipsec sa
show crypto ipsec transform-set
show crypto map
show crypto engine connection active
show crypto engine connection dropped-packet
show crypto engine connection flow
show crypto engine qos
show crypto dynamic-map [tag map-name]
show crypto ipsec security-association-lifetime
7. Troubleshooting & Tips
– GNS3, generate host traffic to build SA(Security Association). Try extended ping to other side. If you won’t initiate traffic from the host in your access list, it won’t try negotiate connection
Debug commands
Debug crypto isakmp
Debug crypto isakmp error
Debug crypto ipsec
Debug crypto ipsec error
Debug crypto engine
Debug crypto engine error
8. Error messages
– "select crypto engine: ce_engine[2] does not accept the capabilities" : ignore
9. References
http://www.networkworld.com/article/2288666/lan-wan/chapter-4–common-ipsec-vpn-issues.html
http://www.informit.com/library/content.aspx?b=Troubleshooting_VPNs&seqNum=70