How to Setup a Cisco Router VPN (Site-to-Site): Cisco Router Training 101

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to cisco router training 101 my name is Don Crawley I'm from sound training net where the Seattle washington-based provider of accelerated training for IT professionals this time we're configuring a site-to-site VPN between a pair of cisco routers it's based on chapter 12 in my book The Accidental administrator cisco router step-by-step configuration guide it's available in both paperback and Kindle editions from Amazon and through other channels if you'd like to pick up a copy I'd love it but please don't feel obligated you can certainly follow along without the book the video is based on Cisco IOS version 12.4 the image that we're using on a pair of 871 routers is the advanced IP services feature set and the reason we're doing that is because you have to have IPSec in order to set up a VPN tunnel as we'll go over again in just a moment now what is a site-to-site VPN oftentimes if we think about a VPN we think about a remote access VPN which would be used by travelling workers say logging in there on the road maybe they're in Milwaukee and your home office is in Minneapolis and so they would log in to the VPN from the remote office in Milwaukee connecting to the main office in Minneapolis but that's not what we're talking about here what we're talking about here is a site-to-site VPN so suppose you have an office in Seattle and another one in Kansas City and traditionally what you would have done in the past is you would have leased some kind of a service maybe a t1 line running it one and a half megabits per second and costing you a lot of money between the two cities well with the advent of the public Internet we're able to take advantage of the public Internet infrastructure and connect through the cloud using an encrypted tunnel and that's the key with a VPN is it applies encryption to the tunnel thus making a communication private and it costs a whole lot less than releasing a line and frankly probably get a lot more bandwidth I hope you get a lot more bandwidth than one and a half megabits per second this is the diagram that we're going to be using for the demonstration and you can download a copy of this diagram along with all of the others from the book The Accidental administrator Cisco router step-by-step configuration guide from the books website it's free you don't even have to write you can just go there and there's a link where you can download it in PDF format and the URL is w WM training net slash cisco router book and that's where you can download this diagram along with others and I'm going to be working doing the demonstration on computer zero one and I've already got router two configured so really it's just a matter of me sitting down and configuring router one and if I do everything right we should be able to have communication but between the two computers prerequisites in order to do this exercise you'll need the following unrestricted privilege mode access to a pair of cisco routers obviously you can't have a VPN unless you have a pair of routers and the equipment software requirements to Cisco routers I use Cisco model 871 so you can use pretty much any router in the Cisco line except you're not going to be able to do this with the consumer grade the Linksys cisco routers that won't work this is for commercial grade routers you'll also need a Cisco IOS software version that supports IPSec as I mentioned I'm using a pair of 870 ones that have the advanced IP services feature set but the main thing is just to make sure that your your iOS version supports IPSec you'll need a couple of computers a console cable and terminal emulation software of course if you're working with routers the one that I'm using is putty here's the disclaimer this videos provided solely as a courtesy to you our viewer no guarantees whatsoever please do not attempt these procedures on a production router without first testing them for security and suitability in a lab environment you do have one don't you the procedures shown in this video will modify your routers existing configuration so ensure you fully backed up your routers config and software images before commencing these procedures and performing these procedures may open your router to the public Internet and subject your network to attack so make sure you have current backups and take precautions including data encryption and additional access controls to protect sensitive data that's just a generally good practice whether you're watching this video or anything else here's a summary of the steps you know if you look at the configuration steps for setting up a VPN in a lot of the documentation out there it looks pretty intimidating and I understand that but the reality is that there's four steps phase one is the key exchange this is AIESEC camp internet security association key management protocol this is the handshake where the two routers agree on how they're going to communicate then phase two is setting up the IPSec tunnel then we apply the crypto map to the outside interface that's where we identify our peers and and the tunnel groups and so on and then we create an access control is to identify the traffic flows the access control lists are always inside to inside so that is my land to the other routers land inside the inside for the access control lists outside to outside for the peers all right let's go ahead and do the demo and we'll start a continuous ping - computer - now remember I'm on computer one and router one and so our partner is router two and computer two so we're going to start a continuous ping - computer - which is at 192.168.1 o 2.2 and we'll put a - t switch on it to make it a continuous ping and you'll see there we're getting a destination host unreachable or you might get a no reply message but something's saying that it's not successful we'll leave that on in the background and then we'll switch over to putty so we can serve the configuration on the router and again I'm going to leave the PowerShell window open behind putty so that you'll be able to see the pin when it's successful when we finish the configuration so let's go ahead and get started we'll go into a global configuration mode config T and then we're going to invoke cryptographic services with a command crypto and since we're doing phase one that's I so camp is a KMP internet security association key management protocol policy this is a grouping of our phase 1 configuration parameters and we just have to identify it so we'll call it policy 10 and now what is the hash algorithm that we're going to use we're going to use secure hash algorithm so we'll type hash sha we could use md5 but Shahs a little more robust and that's pretty much what everybody's using now and now how are we going to authenticate well we'll use a pre-shared key so let's type authentication pre share and now we need to identify our key itself so we'll type crypto AIESEC imp key is VPN key and this is just a text string but it has to match on both ends of the connection then address we're going to identify our peer the other end of the connection 192.168.1.2 elv and now we're done with the phase one portion of the configuration let's move on to Phase two and that's setting up the encrypted tunnel so once the handshake is successful then it moves on to Phase two which is creating the encrypted tunnel so this is the IPSec portion so here we go with IPSec once again using the crypto command to invoke cryptographic services now we're going to say crypto IPSec transform set we have to give it a name we'll call it VPN set again you could call it billy-bob doesn't matter as long as you are consistent with this and we'll say ESP - a EES that is the encapsulating security payload and AES is the advanced encryption standard you could use Triple DES but most people have moved to a EES now it's considered a little more robust and a little faster too so we'll do a EES then ESP shocks we're going to identify our hashing algorithm here with the hashing message authentication code and that sets up our transform set again think of the transform set as being - IPSec what the isoquant policy is - AIESEC in now let's set up our crypto maps we'll type exit and do crypto map VPN set ten IPSec ISO camp and you'll notice that it throws off an error it's just saying hey you're not done with the configuration yet yeah I know that we'll do that in a moment do they the access control list and we'll identify up here in just a moment so we've got that done now let's go ahead and tell it what transform set to use will say set transform set all you have to type right it's supposed to know what I meant but doesn't quite work that way so just set transform set to VPN set now match address 100 this is simply saying - to match the addresses identified in the access list 100 which I haven't configured yet I'm going to do that in a moment and that will identify the inside the inside traffic flow as you'll see as we go through it now we've got a set up here so set peer this is again the other routers outside interface 192.168.1.2 elv now if you think about it it makes sense because it wouldn't know about the other routers inside interface it would only know about the other routers outside interface so we'll go ahead and apply that and now we need to apply the crypto map to an interface so what interface do you suppose we would work with well it's going to be the outside because again that's where the tunnel exists between the two outside interfaces so interface f4 and we'll apply the crypto map with crypto map VP and set so that applies the crypto map to the interface we're still not done we have to configure an access control list and set the default route and then we'll be done so let's go ahead and set the access list so access list 100 permit IP traffic to flow from our inside network to the other routers inside Network so remember access lists are inside to inside so here we go with 192.168.1 o 1.0 for the 24-bit mask using the wild-card bits or the inverse subnet mask of 0 0 0 255 if that is foreign to you if you're not familiar with it that's how we do access lists on a router and really all it's saying is that the first 24 bits of the address the 192.168.1 o1 are what we want to match and so the 0.00 represents 24 zeros the 255 represents 8 ones at the end so it's just the opposite of doing it with a traditional mask now the other routers inside interface or inside network 192.168.1.0 and again that goofy-looking inverse mask of 0.0025 5 will hit enter and apply it and we're still not done we have one more step to go and that is to create our default route let me do the command do show IP route and you can see that the Gateway of last resort has not been set in other words that is what cisco calls a default route so we need to set that and we'll do that with the IP route command 0.0.0.0 for the address and 0.0.0.0 for the mask and what this is saying is when you receive a packet that you don't know what else to do with then send it to the address that you specify in the Gateway of last resort and we're going to set 192.168.1.1 for that gateway honestly you don't use it in the configuration so as far as I can tell any address will work but we'll go ahead and make it the actual one so we'll go ahead and hit enter and now in just a moment you should see the ping coming back from router from computer 2 and look at that there it is it is coming back now you may see a little bit of latency initially when it's set up but ultimately it should be a pretty consistent ping here's a checklist of troubleshooting items for VPN connections and you know it's a lot of the stuff that you'd expect check all your cables and connectors verify your IP addresses so just audit your configurations including router outside and inside interfaces plus the addresses on each of the computers especially if you're using dynamically assigned addresses sometimes they change for whatever reason check your default gateways ensure that only one network connection is in abled on each PC so that you don't run the risk of the packets going up a different interface in which you expect confirm that the access control list is configured to allow traffic to flow from local inside network to the remote inside network member it's inside the inside verify that each routers peer is configured as the remote routers outside interface member peers are outside to outside confirm that the same keys and protocols are in use on each end of the connection the two router configurations should mirror each other except obviously for your IP addresses so just audit up and make sure that you're using AES on both ends or md5 or Triple DES or whatever it is that you're using the same the same hashing algorithms and in encryption technologies on both sides and confirm that the ISO Kempe security Association is there you can use the command show crypto aiesec amp SA to check that if it doesn't then if it's not there then your IPSec connection cannot be made either let me go back into putty and we'll show you that command so here's the command we'll do do show crypto aiesec imp SA and there you can see it's showing from the destination of 192.168.1.2 elv or to the destination 192.168.1.2 elv from the source at 192.168.1.2 levan so there's a handshake in place and if that's not there if you don't see that then you're not going to have any other connection no no other aspect of the VPN will work if you'd like more information you can visit our website at www.traknetpm.com this a week but usually I try to get at least one a week on and that's on our video channel of WWII unit slash videos and if you'd like a copy of the companion book for the video it's available at our bookstore at sound training dotnet slash bookstore both Kindle and paperback editions well I hope it's been helpful for you thanks for watching for sound training dotnet I'm Don Crowley see you next time
Info
Channel: soundtraining.net
Views: 263,464
Rating: 4.8491335 out of 5
Keywords: set up a router, what is a cisco router, Cisco router, VPN, routers, how to setup cisco, vpn for cisco, router cisco, Virtual Private Network, vpn cisco, cisco vpn, vpns, what is vpn, what is cisco vpn, what is a vpn, cisco router to router
Id: rUns1Jbve0w
Channel Id: undefined
Length: 15min 12sec (912 seconds)
Published: Mon Oct 08 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.