Scribd
Upload
190 views

IPSEC VPN Tunneling in Cisco Packet Tracer - Packet Tracer Network

The document describes how to configure an IPsec VPN tunnel in Cisco Packet Tracer to allow dynamic routing protocols like OSPF to operate between two routers connected over the internet. It explains that a GRE tunnel can be configured over the IPsec tunnel to support multicast and broadcast traffic needed by routing protocols. Step-by-step instructions are provided to configure IPsec policies, transforms, and tunnels between two sample routers, along with GRE interfaces and OSPF routing over the GRE tunnel to validate connectivity.

Uploaded by

a
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
190 views

IPSEC VPN Tunneling in Cisco Packet Tracer - Packet Tracer Network

The document describes how to configure an IPsec VPN tunnel in Cisco Packet Tracer to allow dynamic routing protocols like OSPF to operate between two routers connected over the internet. It explains that a GRE tunnel can be configured over the IPsec tunnel to support multicast and broadcast traffic needed by routing protocols. Step-by-step instructions are provided to configure IPsec policies, transforms, and tunnels between two sample routers, along with GRE interfaces and OSPF routing over the GRE tunnel to validate connectivity.

Uploaded by

a
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

5/19/2017 IPSEC VPN tunneling in Cisco Packet Tracer - Packet Tracer Network

IPSEC VPN tunneling in Cisco Packet Tracer


Rating 3.80 (10 Votes)

 Last Updated: Friday, 06 February 2015 21:57

Introduction - IPSEC VPN on ISR routers


Cisco Packet Tracer allows IPSEC VPN configuration between routers. The example below presents a basic VPN
configuration over a Frame Relay between Paris and New-York using Cisco 2811 routers.

IPSEC Tunneling allows network adminisrators to use the Internet to create secure connections between networks
(teleworkers, remote sites, ...). Cisco 2811 routers use the ISAKMP and IPsec tunneling standards to crete and manage
tunnels. IPsec provides authentication (AH) and encryption (ESP) services to prevent unauthorized data access or
modification. ISAKMP is the negotiation protocol that makes peers negociate on how to build the IPsec security
association.

A major problem IPSec sessions is that they do not support multicast or broadcast traffic. Enabling dynamic routing
protocols such as OSPF or EIGRP requires multicast or brodcast support to allow hellos and updates traffic between
routers.

Solution : Build another generic tunnel over IPSEC. Three options available in Cisco routers :

Virtual Tunnel Interface (VTI)


Generic Routing Encapsulation (GRE)
DMVPN and GET VPN

Good news : GRE over IPSEC has been working in Packet Tracer since at least version 6.0.1 . This tunnel design allows
OSPF dynamic routing over the tunnel

Basic IPSEC VPN configuration


Download network topology
File Name: ipsec-vpn.pkt
File Size: 11 KB

Configuration
Paris router configuration

hostname PARIS
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key 0 address 172.16.1.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SECUREWAN esp-aes esp-sha-hmac
!
crypto map IPSECWAN 100 ipsec-isakmp
set peer 172.16.1.2
set pfs group2
set security-association lifetime seconds 86400
set transform-set SECUREWAN
match address SECURED-TRAFFIC
!
!
interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
duplex auto

http://www.packettracernetwork.com/tutorials/ipsec-vpn.html 1/3
5/19/2017 IPSEC VPN tunneling in Cisco Packet Tracer - Packet Tracer Network
speed auto
!
interface Serial0/0/0
ip address 172.16.1.1 255.255.255.252
encapsulation frame-relay
frame-relay interface-dlci 100
crypto map IPSECWAN
!
ip route 10.100.1.0 255.255.255.0 172.16.1.2
!
!
ip access-list extended SECURED-TRAFFIC
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
!

New-York router configuration

hostname NEWYORK
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key 0 address 172.16.1.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SECUREWAN esp-aes esp-sha-hmac
!
crypto map IPSECWAN 100 ipsec-isakmp
set peer 172.16.1.1
set security-association lifetime seconds 86400
set transform-set SECUREWAN

OSFP dynamic routing with GRE tunnel over IPSEC


I modified the IPSEC ACL to permit GRE traffic over the tunnel and to deny any unencrypted traffic on the WAN link

ip access-list extended SECURED-TRAFFIC


permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip any any
permit gre 10.254.1.0 0.0.0.3 10.254.1.0 0.0.0.3

GRE tunnel configuration on Paris router

interface Tunnel0
ip address 10.254.1.1 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 172.16.1.2
tunnel mode gre ip

GRE tunnel configuration on NewYork router

interface Tunnel0
ip address 10.254.1.2 255.255.255.252
tunnel source Serial0/0/0
tunnel destination 172.16.1.1
tunnel mode gre ip

OSPF configuration over the tunnel

http://www.packettracernetwork.com/tutorials/ipsec-vpn.html 2/3
5/19/2017 IPSEC VPN tunneling in Cisco Packet Tracer - Packet Tracer Network

router ospf 1
log-adjacency-changes
network 10.0.1.0 0.0.0.255 area 0
network 10.254.1.0 0.0.0.3 area 0

File Attachment:
File Name: ipsec-vpn-gre.pkt
File Size: 11 KB

Trademark notice : This web site and/or material is not affiliated with, endorsed by, or sponsored by Cisco Systems, Inc. Cisco, Cisco Systems, Cisco IOS, CCNA, CCNP, Networking
Academy, Linksys are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. or certain other countries.

http://www.packettracernetwork.com/tutorials/ipsec-vpn.html 3/3

You might also like