Configuring a Site-to-Site Vpn in the middle of Two Cisco Routers

A site-to-site virtual secret network (Vpn) allows you to voice a derive "always-on" association in the middle of two physically cut off sites using an existing non-secure network such as the collective Internet. Traffic in the middle of the two sites is transmitted over an encrypted tunnel to prevent snooping or other types of data attacks.

This configuration requires an Ios software image that supports cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.

Cisco Router

There are several protocols used in creating the Vpn along with protocols used for a key replacement in the middle of the peers, those used to encrypt the tunnel, and hashing technologies which furnish message digests.

Configuring a Site-to-Site Vpn in the middle of Two Cisco Routers

Vpn Protocols

Ipsec: Internet Protocol security (Ipsec) is a suite of protocols that are used to derive Ip communications. Ipsec involves both key exchanges and tunnel encryption. You can think of Ipsec as a framework for implementing security. When creating an Ipsec Vpn, you can select from a variety of security technologies to implement the tunnel.

Isakmp (Ike): Internet security association and Key supervision Protocol (Isakmp) provides a means for authenticating the peers in a derive communication. It typically uses Internet Key replacement (Ike), but other technologies can also be used. collective keys or a pre-shared key are used to authenticate the parties to the communication.

Md5: Message-Digest algorithm 5 (Md5) is an often used, but partially insecure cryptographic hash function with a 128-bit hash value. A cryptographic hash function is a way of taking an arbitrary block of data and returning a fixed-size bit string, the hash value based on the original block of data. The hashing process is designed so that a change to the data will also change the hash value. The hash value is also called the message digest.

Sha: derive Hash Algorithm (Sha) is a set of cryptographic hash functions designed by the National security agency (Nsa). The three Sha algorithms are structured differently and are remarkable as Sha-0,Sha-1, and Sha-2. Sha-1 is a commonly used hashing algorithm with a proper key length of 160 bits.

Esp: Encapsulating security Payload (Esp) is a member of the Ipsec protocol suite that provides origin authenticity, integrity, and confidentiality security of packets. Esp also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure. Unlike the other Ipsec protocol, Authentication Header (Ah), Esp does not protect the Ip packet header. This divergence makes Esp preferred for use in a Network Address Translation configuration. Esp operates directly on top of Ip, using Ip protocol whole 50.

Des: The Data Encryption proper (Des) provides 56-bit encryption. It is no longer thought about a derive protocol because its short key-length makes it vulnerable to brute-force attacks.

3Des: Three Des was designed to overcome the limitations and weaknesses of Des by using three distinct 56-bit keys in a encrypting, decrypting, and re-encrypting operation. 3Des keys are 168 bits in length. When using 3Des, the data is first encrypted with one 56-bit key, then decrypted with a distinct 56-bit key, the yield of which is then re-encrypted with a third 56-bit key.

Aes: The industrialized Encryption proper (Aes) was designed as a replacement for Des and 3Des. It is available in varying key lengths and is commonly thought about to be about six times faster than 3Des.

Hmac: The Hashing Message Authentication Code (Hmac) is a type of message authentication code (Mac). Hmac is calculated using a exact algorithm intriguing a cryptographic hash function in mixture with a secret key.

Configuring a Site-to-Site Vpn

The process of configuring a site-to-site Vpn involves several steps:

Phase One configuration involves configuring the key exchange. This process uses Isakmp to recognize the hashing algorithm and authentication method. It is also one of two places where you must recognize the peer at the opposite end of the tunnel. In this example, we chose Sha as the hashing algorithm due to its more robust nature, along with its 160-bit key. The key "vpnkey" must be selfsame on both ends of the tunnel. The address "192.168.16.105" is the covering interface of the router at the opposite end of the tunnel.

Sample phase one configuration:

tukwila(config)#crypto isakmp policy 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105

Phase Two configuration involves configuring the encrypted tunnel. In Phase Two configuration, you create and name a transform set which identifies the encrypting protocols used to create the derive tunnel. You must also create a crypto map in which you recognize the peer at the opposite end of the tunnel, specify the transform-set to be used, and specify which access operate list will recognize permitted traffic flows. In this example, we chose Aes due to its heightened security and enhanced performance. The statement "set peer 192.168.16.25" identifies the covering interface of the router at the opposite end of the tunnel. The statement "set transform-set vpnset" tells the router to use the parameters specified in the transform-set vpnset in this tunnel. The "match address 100" statement is used to associate the tunnel with access-list 100 which will be defined later.

Sample phase two configuration:

tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
% Note: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
tukwila(config-crypto-map)#set peer 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match address 100

The crypto map must be applied to your covering interface (in this example, interface FastEthernet 4):

tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset

You must create an access operate list to explicitly allow traffic from the router's inside Lan across the tunnel to the other router's inside Lan (in this example, the router tukwila's inside Lan network address is 10.10.10.0/24 and the other router's inside Lan network address is 10.20.0.0/24):

tukwila(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255

(For more facts about the syntax of access-control lists, see my other articles on creating and managing Cisco router access-control lists.)

You must also create a default gateway (also known as the "gateway of last resort"). In this example, the default gateway is at 192.168.16.1:

tukwila(config)#ip route 0.0.0.0 0.0.0.0 192.168.16.1

Verifying Vpn Connections

The following two commands can be used to verify Vpn connections:

Router#show crypto ipsec sa
This command displays the settings used by the current security Associations (Sas).

Router#show crypto isakmp sa
This command displays current Ike security Associations.

Troubleshooting Vpn Connections

After confirming physical connectivity, audit both ends of the Vpn association to ensure they mirror each other.

Use debugging to analyze Vpn association difficulties:

Router#debug crypto isakmp
This command allows you to examine Phase 1 Isakmp negotiations.

Router#debug crypto ipsec
This command allows you to examine Phase 2 Ipsec negotiations.

Copyright (c) 2008 Don R. Crawley

Configuring a Site-to-Site Vpn in the middle of Two Cisco Routers

Save Up to 70% Off beer can crusher

Cisco vs Nortel vs ? - Who Would You choose And Why?

Here's the scenario..... You've been tasked with a found and premise of the network infrastructure for a new location in your company. For the purposes of this query your choices for equipment at the new site are between Cisco and Nortel and ?? (routers, switches, hubs, etc.) .... And the network backbone will be Ds3 bandwidth with connectivity to other business locations (Wan). Note: you can substitute Oc3 bandwidth if it's more applicable to you .... But realize it changes the network equipment configurations for the scenario somewhat due to the application of Sonet technology.

For a general religious doctrine ..... When you need business valuable spend the money and make it excellent (Cisco). When at the edge and not business critical, (e.g. You can afford a itsybitsy downtime if needed) buy solid products that compete directly with Cisco but cost a bit less.

Cisco Router

In one case a friend uses Hp at the edge and in wireless situations where uptime is not critical. They use Cisco at the core and with wireless where uptime is essential. All that being said, the Hp performs just as well, costs about 25%-50% less and has a lifetime guarantee. So to reply the question, in this case I would recommend seller three (Hp) for all the switches, hubs, etc... And Cisco at the core, but if you only have two choices, then no ifs ands or buts I think you only have one, Cisco. They're the biggest in the U.S. For a reason.

Cisco vs Nortel vs ? - Who Would You choose And Why?

Here's a tip ..... Take a look at the ProCurve goods line from Hp. Someone else friend recently switched from a mix of Cisco and Netgear to all Hp and had no failures. When they needed support, their query was answered the same day from a very knowledgeable aid representative. They did have one piece of equipment that was Doa but had a transfer the next day.

As far as backbone connectivity - the Cisco Mgx 8800 Series switch is a superior goods to the Nortel 15K Wan switch,.but that is only aplicable if you are using Atm or Fr as a layer 2 converyance protocol in the core. If you are using Mpls or some other protocol over Ip I would recommend one of the Cisco 12 K routers running Ios Xr - Nortel dosent even have a comptable goods (Juniper any way does but that is face the scope of this discussion.

The difference between Cisco Htts support and Nortel support is night and day - that should work on your decision right there.

As far as Lan switching - the Cisco 6500 Catalyst platform is the winner hands down against the Nortel 8600. Thee 8600 is easier to configure but is simply not for the business never mind a carrier class soloution. The 6500 is faster, but much more complex, but out performs the 8600 and is infinitely more flexible as far as module options. The 6500 series also has the edge as far as max number of Gig-E ports.

As far as hubs - get a switch or otherwise segment the broadcast domain.

If I were seeing for a voice switch or anything capable of interfacing with the world of Tdm voice, I would go Nortel over Cisco...If those were my only two choices.

While Nortel makes great voice equipment, their policies and procedures are not very customer friendly.

Cisco has great support, and for any data-centric needs, I would certainly go with Cisco.

If I were building a Voip network, I would use Cisco for my core routing, but I would use Nortel over Cisco for my softswitching and media gateway.

Now, Nortel supports Mpls networks and has been engaged in supporting standardization in Mpls before 1998.

A new narrative shows that the Nortel Ers 8300 bests the Cisco 4500 ...... Showing between 75%-301% higher forwarding rate and 12% greater power efficiency.

Of course, there's the fact that the New York Stock transfer runs on a Nortel data network (4 year old Nortel press release).

While I feel I could probably spec out a dozen network designs that would lean towards Nortel, there are clearly good reasons to go Cisco, such as if you implement a Cisco Call Manager. Likewise, there are reasons for which you would clearly pick Nortel (being power effective is one of them).

I will opine that you well all the time get a sub-optimum outcome if you plump a seller first and sort out the goods selections and configurations subsequently. Unless you have practically no time to do so, write up a specification which every person except Americans know as a request for tender and issue it to the suppliers concerned, and I don't see why you wouldn't contain Avaya and others in there as well. Word the specifics definitively (e.g. The principles shall be able to control for a minimum of four hours following the loss of mains power. Comply/does not comply/partially complies), contain a scope of works and get vendors to reply with yielding statements, warranties (i.e. Free maintenance for six months), maintenance covenant proposals and pricing. Not only can you compare the various systems highlight by highlight (features you have listed because they are important for your business) but it's phenomenal how much pricing tends to be reduced when vendors know there's genuine competition.

Regarding these two, part of Cisco's strategy is to make it very inconvenient to endeavor to consolidate any non-Cisco components into a Cisco network. One of your requirements could be interworkability.

Cisco is the best and the least risk for you from a long-term perspective. I have found Cisco switches to be extremely stable, some switches I have seen had been up since 4+ years without a reboot. With Cisco you also have the advantage of excellent documentation, and plenty of skilled people to support your or share information online. Also, at the L3 switch level Cisco has no peer as the code used on the switches is based on their legendary routing platforms.

If Cisco is too costly or you would like to diversify, look at Foundry or Hp. Or great yet use Cisco at your L3 and core, and deploy Hp chassis switches for your user connections. Hp chassis switches are priced similarly to other vendor's stacking solutions, and they come with a lifetime warranty and free software updates. The Cli is also quite Cisco-like.

Given the choice of two, I would have to say Cisco, purely from a support angle - both from a seller support perspective and from recruiting distinguished staff (permanent or contract) for in-house support. Ccna/Da, Ccnp/Dp, Ccie - the streets are littered with them, but Nortel-accredited engineers are few and far between, and consequently a more costly commodity.

In terms of features, functionality and performance, I would say it was too close to call, that definite model ranges would have to compared directly (port densities, PoE and multi-Gbps support for example). Besides Cisco, Nortel, and Hp you could also make various cases for more cost-effective solutions from the likes of Alcatel-Lucent, Huawei, Foundry etc.....

To boil it all down ..... This is a religious question. Those of us who have been around long adequate remember this "No one was ever fired for buying Ibm". This was a marketing strategy that Ibm used for quite a while. It worked! Cisco is using this same strategy now.

Cisco makes some phenomenal products, and they support them amazingly well. There are any other manufacturers of phenomenal equipment on the shop too though. Hp, 3com, Extreme, and Nortel are a few. Here is what I believe. 3com and Hp both make great equipment, extreme equipment is on par with Cisco as far as capabilities, and Nortel is good.

I love the 3com 5500 series stackable switches, and they are only about ½ the price of comparable Cisco switches. Hp also has great stackables, but I don't feel the quality is quit up to par with 3com. extreme isn't Cisco but is thought about to be very high end. I believe Nortel to be an also ran.

If you need to call the premise for tech support often, Buy Cisco period. The tech support is the best in the industry. If you are capable of designing and maintaining a network based on commerce suitable protocols, and are good at figuring things out on your own, buy 3com or Hp.

No one was ever fired for buying Cisco. (I hope that someday this changes just as it did for Ibm. But today it is still true).

Whatever direction you decide to go for similar situations with Your business ..... Or if you've decided and are seeing for a local seller ..... You can get help seeing the right fit for local support from multiple vendors along with Cisco, Nortel, Hp et al at Broadband Nation.

Cisco vs Nortel vs ? - Who Would You choose And Why?

Wireless Weather Station for Home