Cisco Labs – Network Security (3) – Site to site VPN using pre-shared keys on Router


During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul4 4.4.7 IOS task definition


  • Site to site VPN tunnel using pre-share keys will be initialized on Router.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.





ifconfig INT7 netmask
route add default gw dev INT7


ifconfig INT8 netmask
route add default gw dev INT8


1) interface settings + OSPF:

Router1(config)#interface INT2
Router1(conf-if)#ip address
Router1(conf-if)#no shutdown

Router1(config)#interface INT1
Router1(conf-if)#ip address
Router1(conf-if)#no shutdown

Router1(config)#router ospf 1								;configure OSPF so, that you can see all other networks in scheme
Router1(rout)#network area 0
Router1(rout)#network area 0
Router2(config)#interface INT3
Router2(conf-if)#ip address
Router2(conf-if)#no shutdown

Router2(config)#interface INT4
Router2(conf-if)#ip address
Router2(conf-if)#no shutdown

Router2(config)#router ospf 1
Router2(rout)#network area 0
Router2(rout)#network area 0
Router3(config)#interface INT5
Router3(conf-if)#ip address
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address
Router3(conf-if)#no shutdown
Router3(config)#router ospf 1
Router3(rout)#network area 0
Router3(rout)#network area 0

2a) VPN tunnel settings phase 1 IKE/ISAKMP:

Policy must be the same on both ends of tunnel (priority could be different)

Router1(config)#crypto isakmp policy 10							;set isakmp policy priority 10
Router1(isakmp)#encryption 3des 							;set encryprtion algorithm
Router1(isakmp)#hash md5 								;set hash type
Router1(isakmp)#group 1									;set encryption key length
Router1(isakmp)#authentication pre-share						;specify the authentication method within an IKE policy
Router1(isakmp)#lifetime 200 								;set timeout for first phase (tunnel initialisation) 

Router2(config)#crypto isakmp policy 10
Router2(isakmp)#encryption 3des 
Router2(isakmp)#hash md5 
Router2(isakmp)#group 1
Router2(isakmp)#authentication pre-share 
Router2(isakmp)#lifetime 200

2b) VPN tunnel settings phase 2 IPSEC:

Router1(config)#crypto ipsec transform-set TRSETRH esp-des esp-md5-hmac			;Define a transform set - acceptable combination of security protocols and algorithms
Router1(config)#access-list 111 permit ip	;create access list in which tunnel traffic rules are defined
Router1(config)#crypto isakmp key HESLO address				;set pre-share key and far end of the tunnel
Router1(config)#crypto map LOKALNIMAPARH 10 ipsec-isakmp 				;define local policy, used within crypto map, which we defined
Router1(cr-m)#set peer							;set far end of the VPN tunnel
Router1(cr-m)#match address 111								;apply access list 111
Router1(cr-m)#set transform-set TRSETRH							;apply transform set to crypto map	
Router1(config)#interface INT2
Router1(conf-if)# crypto map LOKALNIMAPARH						;apply crypto map to an interface


Apply analogical settings to other side of the tunnel.

    Router2(config)#crypto ipsec transform-set TRSETRI esp-des esp-md5-hmac
Router2(config)#access-list 122 permit ip
Router2(config)#crypto isakmp key HESLO address
Router2(config)#crypto map LOKALNIMAPARI 10 ipsec-isakmp 
Router2(cr-m)#set peer
Router2(cr-m)#match address 122
Router2(cr-m)#set transform-set TRSETRI
Router2(config)#interface INT3
Router2(conf-if)# crypto map LOKALNIMAPARI

3) Access list on Router3 to enable only needed traffic:

Router3(config)#access-list 101 permit ospf any any					;enable OSPF routing traffic
Router3(config)#access-list 101 permit esp host host		;enable tunnel initialisation thru ESP
Router3(config)#access-list 101 permit udp host host eq isakmp	;enable tunnel traffic thru UDP
Router3(config)#interface INT5
Router3(conf-if)#ip access-group 101 in							;apply access list to an interface

Function test

debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.

F1)check IKE/IPSEC router configuration:

Router1#sh crypto isakmp policy 							;display first part of tunnel configuration. 
Router1#sh crypto ipsec sa								;display send/receive packet statistics

Ping from LAN 1 to LAN 2 should initialize VPN tunnel and hosts on LAN2 should be accessible.

F2)initialize tunnel:

Use ping . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.


Router1#sh crypto isakmp sa
dst             src             state          conn-id slot      QM_IDLE             14    0


Router1#sh crypto ipsec sa

Picture displays existing tunnel and sent packages number.


F3)delete tunnel

Router1#clear crypto isakmp 								;clear tunnel initialisation configuration
Router1#clear crypto sa									;clear existing tunnels

Picture displays cleared tunnel.


F4)reinitialize tunnel from other side

Use ping . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

If error occurs, please use command line as inserted in picture. This will help to synchronize Security Parameter Index.


Optional tasks

  • Define more transform sets to be able to select which could be fit to the other site of the tunnel.
  • Define different encryption and hashing algorithms – see point 2a.
  • Add one more router to topology and create another tunnel to this router.

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list.
  • New or existing transform set must be added to new crypto map.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s