IPsec Virtual Private Network (VPN) tunnels facilitate secure transmission of data, voice, and video between two different sites such as offices and their branches. The VPN tunnel is created over the Internet public network, and the IPsec tunnel mode is used between two dedicated routers, wherein each router acts as one end of a virtual tunnel through a public network.

In this mode, the original IP header that contains the final destination of the packet is fully encrypted using advanced encryption algorithms for security purposes in addition to the packet payload. Thus, the confidentiality of data remains protected even when data is being transferred between two sites that are geographically distant.

In this article, we will discuss how to set up and configure two Cisco routers to create a permanent secure site-to-site VPN tunnel over the public network by using IP Security (IPsec) protocol.

What You Must Know When Creating IPSec VPN Tunnels While Configuring Cisco Routers

• Internet Security Association and Key Management Protocol (ISAKMP) and IP Security (IPsec) are important for building and encrypting the VPN tunnel.
• Also called Internet Key Exchange (IKE), ISAKMP acts as the negotiation protocol that allows two hosts to agree on how to build an IP Security association. This negotiation includes two phases.
• While Phase 1 creates the first tunnel that later protects ISAKMP negotiation messages, Phase 2 creates the tunnel that protects the data.
• Then, IPsec is used to encrypt the data and provides authentication, encryption, and anti-replay services.

What are the requirements of IPsec VPN Requirements?

To create the Site-to-Site IPsec VPN Tunnel, you need to follow these two steps:

• Configure ISAKMP (ISAKMP Phase 1)
• Configure IPsec (ISAKMP Phase 2, ACLs, Crypto MAP)

Let’s assume that there are two branches of a small company: Site 1 and Site 2. The routers of both branches connect to the Internet and have a static IP Address assigned by their Internet Service Provider (ISP).

While Site 1 is configured with an internal network of 10.10.10.0/24, Site 2 is configured with a network 20.20.20.0/24. Your goal is to securely connect both LAN networks and facilitate full communication between them seamlessly.

Step 1: Configure ISAKMP (IKE) (Phase 1)

Since IKE exists only to establish Security Association (SA) for IPsec, it first needs to negotiate an SA relationship with its peer. To begin, you should start working on the Site 1 Router.
To configure an ISAKMP Phase 1 policy, you will need the following commands:

• R1(config)# crypto isakmp policy 1
• R1(config-isakmp)# encr 3des
• R1(config-isakmp)# hash md5
• R1(config-isakmp)# authentication pre-share
• R1(config-isakmp)# group 2
• R1(config-isakmp)# lifetime 86400

Here,
3DES - the encryption method used for Phase 1
MD5 - the hashing algorithm
Pre-share - Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 - Session key lifetime

To define a pre-shared key for authentication with its peer (R2 router), use the following command:
• R1(config)# crypto isakmp key firewallcx address 1.1.1.2

The R2’s pre-shared key is set to firewallcx and its public IP address is 1.1.1.2. Every time R1 tries to connect a VPN tunnel with R2, this key will be used.

Step 2: Configure IPsec (Phase 2)

To create extended ACL, use:
• R1(config)# ip access-list extended VPN-TRAFFIC
• R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

To create IPsec Transform (ISAKMP Phase 2 Policy) (this policy is named as TS), use:
• R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

To create Crypto Map, use:
• R1(config)# crypto map CMAP 10 ipsec-isakmp
• R1(config-crypto-map)# set peer 1.1.1.2
• R1(config-crypto-map)# set transform-set TS
• R1(config-crypto-map)# match address VPN-TRAFFIC

To apply Crypto Map to the ongoing Public Interface (FastEthernet 0/1) of the router, use:
• R1(config)# interface FastEthernet0/1
• R1(config- if)# crypto map CMAP

Note that only one crypto map can be assigned to an interface. After this, you will receive a message from the router that confirms that the isakmp is on. By now, you have completed IPsec VPN configuration on the Site 1 router.

Now, you will do the VPN configuration of the Site 2 router. The settings for Router 2 are the same with the only difference being the peer IP addresses and access lists.

• R2(config)# crypto isakmp policy 1
• R2(config-isakmp)# encr 3des
• R2(config-isakmp)# hash md5
• R2(config-isakmp)# authentication pre-share
• R2(config-isakmp)# group 2
• R2(config-isakmp)# lifetime 86400

• R2(config)# crypto isakmp key firewallcx address 1.1.1.1
• R2(config)# ip access-list extended VPN-TRAFFIC
• R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

• R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
• R2(config)# crypto map CMAP 10 ipsec-isakmp
• R2(config-crypto-map)# set peer 1.1.1.1
• R2(config-crypto-map)# set transform-set TS
• R2(config-crypto-map)# match address VPN-TRAFFIC

• R2(config)# interface FastEthernet0/1
• R2(config- if)# crypto map CMAP

Note: When configuring a Site-to-Site VPN tunnel, it is critical to command the router to not to perform NAT (deny NAT) on packets that need to be sent to the remote VPNs. Once the VPN configuration is completed and the VPN Tunnel is ready, you need to force one packet to traverse the VPN, and you can do this by pinging from one router to another.


By following all the above steps, you can easily set up an IPsec VPN tunnel between two Cisco routers.

Looking forward to buying Cisco routers and other networking appliances? Please contact us at +97142409998 or send us a message on WhatsApp (+971585811786).