Cisco IPSEC VPN is a must for anyone who desires to manage an enterprise network. I have always faulted the old CCNA curriculum that excluded VPN setup. It meant that many CCNA holders did not have the knowledge of how to configure IPSEC VPN except they went further by studying for the CCNA security. As expected, Cisco has recently realized this and has therefore included IPSEC VPN in the CCNA curriculum, making it a must for aspiring CCNAs. The IPSEC VPN is a technology that allows you to successfully encrypt packets sent from one LAN to the other over the public internet. In this post, I will share with us on how to successfully configure an IPSEC VPN using GNS3.
The Cisco 3600 series router running on GNS3.
Objective to set up IPSEC VPN on R1 and R3 to allow communication between networks 192.168.10.0/24 and 192.168.20.0/24. The WAN links between R2 , R1 and R3 are configured for /30. I will start my configuration from R2. In reality, our job will be done on both R1 and R3.
Interface configuration on R2
R2(config-if)#ip add 192.168.1.2 255.255.255.252
R2(config-if)#description connection to R1
R2(config-if)#ip add 192.168.2.2 255.255.255.252
R2(config-if)#description connection to R3
Interface configuration on R1
R1(config-if)#ip add 192.168.1.1 255.255.255.252
R1(config-if)#desc connection to R2
R1(config-if)#ip add 192.168.10.1 255.255.255.0
R1(config-if)#desc connection to LAN
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
IPSEC VPN configuration on R1
First, we need to configure an access-list to match LAN to LAN traffics
R1(config)#ip access-list extended VPN
R1(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Finally, on R3, we apply the crypto map to the interface
connecting to the ISP
R3(config-if)#crypto map TGMAP
Finally, configure the interfaces on R4 and R5 with IP addresses from their various subnets and try to ping from R4 to R5 or vise versa. If done properly, the pings should be successful even though there are no routes from R2(ISP router) to the LANs. Packets to the LANs will be encrypted and sent via the IPSEC VPN tunnel.
We can use the sh crypto ipsec sa command to verify VPN connection.
If you need help building this LAB on GNS3, drop me a comment.
Ashioma Michael, a BSc (Computer Science)., MTCNA, CCNA, and CCNP holder with many years of industry-proven experience in network design, implementation and optimization. He has tutored and guided many professionals towards obtaining their Cisco certifications. Mike works as a senior network engineer with one of the leading internet service providers in West Africa.