Site-to-Site IPSec VPN using crypto map Configuration

[Cisco IPSec VPN Configuration Settings TOP]

Site-to-Site IPSec VPN using crypto map Configuration

IPSec VPN Topology

Configuration Settings Overview

ping / traceroute
Between HQ and Branch1
Between HQ and Bransh2
Between Branch1 and Branch2
Segment of each site
HQ : 192.168.0.0/20
Branch1 : 192.168.16.0/20
Branch2 : 192.168.32.0/20

Router HQ1,BR11,BR21 IPSec Configuration

3.1 IKE Policy
  3.1.1 HQ
    iskakmp policy 10
      encryption     : des
      hash           : md5
      authentication : pre-share
      DH group       : group 1

    isakmp policy 20
      encryption     : 3des
      hash           : md5
      authentication : pre-share
      DH group       : group 2

    isakmp policy 30
      encryption     : aes
      hash           : sha
      authentication : pre-share
      DH group       : group 2

    pre-shared key   : cisco123(address: 20.0.0.2)
    pre-shared key   : cisco456(address: 30.0.0.2)

  3.1.2 Branch1
    isakmp policy 10
      encryption     : 3des
      hash           : md5
      authentication : pre-share
      DH group       : group 2

    pre-shared key   : cisco123(address 10.0.0.2)

  3.1.3 Branch2
    isakmp policy 10
      encryption     : aes
      hash           : sha
      authentication : pre-share
      DH group       : group 2

    pre-shared key   : cisco456(address 10.0.0.2)

3.2 IPSec Transform Set
  3.2.1 HQ
    ipsec transform-set Trset10
      protocol   : esp
      encryption : des
      hash       : md5-hmac

    ipsec transform-set Trset20
      protocol   : esp
      encryption : 3des
      hash       : md5-hmac

    ipsec transform-set Trset30
      protocol   : esp
      encryption : aes
      hash       : sha-hmac

  3.2.2 Branch1
    ipsec transform-set Trset10
      protocol   : esp
      encryption : 3des
      hash       : md5-hmac

  3.2.3 Branch2
    ipsec transform-set Trset10
      protocol   : esp
      encryption : aes
      hash       : sha-hmac

3.3 Crypto Map
  3.3.1 HQ
    crypto map ToBR 10 ipsec-isakmp
      set peer 20.0.0.2
      set transform-set Trset20
      match address 101
    crypto map ToBR 20 ipsec-isakmp
      set peer 30.0.0.2
      set transform-set Trset30
      match address 102

  3.3.2 Branch1
    crypto map ToHQ ipsec-isakmp
      set peer 10.0.0.2
      set transform-set Trset10
      match address 100

  3.3.3 Branch2
    crypto map ToHQ ipsec-isakmp
      set peer 10.0.0.2
      set transform-set Trset10
      match address 100

3.4 IPSec VPN access-list
  3.4.1 HQ
    HQ To Branch1
      access-list 101 permit ip 192.168.0.0 0.0.15.255 192.168.16.0 0.0.15.255
      access-list 101 permit ip 192.168.32.0 0.0.15.255 192.168.16.0 0.0.15.255

    HQ To Branch2
      access-list 102 permit ip 192.168.0.0 0.0.15.255 192.168.32.0 0.0.15.255
      access-list 102 permit ip 192.168.16.0 0.0.15.255 192.168.32.0 0.0.15.255

  3.4.2 Branch1
    Branch1 To HQ
      access-list 100 permit ip 192.168.16.0 0.0.15.255 192.168.0.0 0.0.15.255
      access-list 100 permit ip 192.168.16.0 0.0.15.255 192.168.32.0 0.0.15.255

  3.4.3 Branch2
    Bracnch2 To HQ
      access-list 100 permit ip 192.168.32.0 0.0.15.255 192.168.0.0 0.0.15.255
      access-list 100 permit ip 192.168.32.0 0.0.15.255 192.168.16.0 0.0.15.255

Dynagen Config File / Router Config

1.  Dynagen .net file

2.  HQ1

3.  HQ2

4.  HQHOST

5.  BR11

6.  BR12

7.  BR1HOST

8.  BR21

9.  BR22

10. BR2HOST

11. R1

show command

HQ1 :
  sh crypto isakmp sa
  sh crypto engine connections active
BR11 :
  sh crypto isakmp sa
  sh crypto engine connections active
BR21 :
  sh crypto isakmp sa
  sh crypto engine connections active

1.  HQ1

2.  BR11

3.  BR21

Dynalconf HOME