• Skip to main content
  • Skip to primary sidebar
  • Skip to footer

securitywing

Menu
  • About
  • Must Read
      • IIS Performance Boost
      • RFID Security
      • Web App Security Testing
      • How to Secure Home Network
      • Prevent Cross-Site Scripting Attacks
      • Renew Self-Signed Certificates
      • Penetration Testing Tools
      • VPN Concentrator
      • Forensic Investigation Tools
      • Digital Certificates
      • Cloud Security Issues
      • Advanced Evasion Prevention
      • Firewall Types
      • Tips to Prevent Data Exfiltration
      • Classified Info Handling
      • MySQL Security
      • Definition of 7 Types of Malware
      • VOIP Security
      • Why Antivirus Software Fails
      • 15 Network Security Vulnerabilities
      • Web App Security
      • IT Security Standards
      • Types of Virtualization
      • Android Security
      • Digital Signature
      • Advanced Malware Protection
    • Close
  • Consultancy
  • Contact

Cisco VPN Configuration in IOS Routers

by wing

How to Configure VPN in Cisco Routers

Virtual private network can be configured with most of the Cisco routers( 800 to 7500 series) with IOS version 12 or higher.VPN can be implemented in a number of ways–with various level of security measures and configuration. To determine the right VPN configuration for your network, you need to have a solid understanding in cryptographic system and encryption algorithm.Besides, one needs to know which type of VPN is suitable for remote clients  and which type of VPN  is used to create secure site-to-site connection. This article explains the necessary steps with configuration script to setup VPN in Cisco routers. This configuration can be simulated in Cisco packet tracer software as well. 

Types of VPN

  1. Remote access VPN
  2. Site to site VPN
  3. Business partner vpn

VPN implementation methods

The two methods that can be used to  implement any of the above mentioned three types of  VPN  are:

  1. IPsec based VPN
  2. SSL based VPN

Both types of VPN implementation method has its advantage and disadvantages. If you choose to implement an IPsec based VPN, you need to install client software on every remote host or devices that need to access the VPN. On the other hand, SSL VPNs can directly establish connection between two machines without the need of installing any client software; it is possible because SSL basically a web browser based VPN solution. Most of the site-to-site and business partner types VPNs are IPsec based, whereas SSL is widely used for remote client access VPNs

IPsec VPN

The main purpose of IPsec is to provide communication security while your data pass through the public network such as Internet. To establish IPsec connection, you need to have IPsec compliant devices such as Cisco IOS based routers. The following cryptographic technology is used with IPsec

  • Diffie-Hellman key exchange
  • Public key cryptography
  • Data encryption algorithm-it helps to validate the identity of the sender and
  • Hashing algorithm– it verifies authenticity and intergrity of data. Hash algorithms used are HMAC,SHA-1,MD5
  • Digital certificate– a way to validate the identity of the sender. Digital certificate contains the identity details of a public key holder and it is issued by a CA.

 

VPN Design Process

When you decide to set up a VPN, you need to design a VPN implementation plan. The VPN implementation plan needs to consider the following aspects.

1. Identify the type of VPN (SSL or IPsec) you need to implement and what the computer systems or network equipments need to be protected by VPN connection.

2. Design VPN-choose the type of authentication methods, filtering and cryptographic policy

3. Testing- it is better to try to test your design in a test environment before you deploy the VPN in your organization.

4. Deployment-once you are satisfied with the test result, you can start deploying your VPN as per your design

5. Monitoring- monitor the traffic activity at the VPN end points and always check out the security warnings or updates with your VPN equipment vendors.

IPsec Protocols

IPsec protocol is basically a combination of two different protocols with two different purposes. These two protocols are collection of security protocols are: packet protocols and service protocols. There are two major packet protocols: ESP (encapsulating security payload) and Authentication Header (AH).The service protocol of IPsec is known as IKE-Internet Key Exchange.

ESP-its encrypts entire IP data portion of the packets and adds ESP header and trailer at the end of the packet.ESP provides confidentiality, authentication and integrity to a data packet.

AH– authentication header adds to the IP packet to provide the data packet validation.AH does not offer any encryption service, unlike ESP.

IKE-it uses Diffie Hellman key exchange process to offer key management and security association.

So, as you see that IPsec mainly provides two type of service – packet authentication and encryption- by using ESP and AH. IPsec can provide these two services in two modes- tunnel modes and transport mode. Tunnel mode provides the encryption and authentication for the entire data packet, where as transport mode provides only the transport layer data security and authentication. Thus transport mode IPsec generates lower overhead and is faster than tunnel mode IPsec. The disadvantage of transport mode IPsec is the any attacker may perform traffic analysis of this packet since the header information is not encrypted.

Now, you understand the basics of IPsec and let’s see how we can implement IPsec based VPN in a Cisco router.

This configuration is for a site to site type VPN, where all traffic from router A to router B will be encrypted with IPsec.

cisco vpn configuration
cisco vpn configuration

Configuration on Router A

RouterA#configure terminal

RouterA(config)#crypto isakmp policy 1

RouterA(config-isakmp)#authentication pre-share

RouterA(config-isakmp)#encryption aes 128

RouterA(config-isakmp)#group 2

RouterA(config-isakmp)#exit

RouterA(config)#lifetime 96400

RouterA(config)#end

RouterA#copy run start

Now create a transform set name and give it a name as you like.For example, name the set as  ciscoset

RourterA#conf term

RouterA(config)#crypto ipsec transform-set ciscoset esp-aes esp-sha-hmac

RouterA(cft-crypto-trans)#exit

RouterA(config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255

RouterA(config)#crypto map router1torouter2 10 ipsec-isakmp

RouterA(config-crypto-map)#set peer 172.30.2.2

RouterA(config-crypto-map)#match address 101

RouterA(config-crypto-map)#set transform-set ciscoset

RouterA(config-crypto-map)#exit

Next, you have to apply the crypto map to the external interface of router A

RouterA(config)#interface fastethernet0/0

RouterA(config-if)#crypto map route1torouter2

RouterA(config-if)#end

RouterA(config)#ip route 192.168.0.0 255.255.255.0 172.30.2.2

RouterA(config-if)#end

Now, you can configure the router B with similar configuration just by changing the peer IP, IP router and access list IP with for router A.

Related Posts:

  • Site to Site VPN Between Cisco VPN Concentrator and Router
  • Cisco Router Security Check for Auditor
  • Access Control List Configuration on Cisco Router
  • How to Configure Cisco Private VLANs in 4 Easy Steps
  • 20 Ways to Secure Home Network

Filed Under: Network Security Tips Tagged With: cisco, configuration, ios, router, vpn

Primary Sidebar

CISSP Sample Test

Take a CISSP Sample Test

CISA IT governance Sample test



Twitter Follow @securitywing

Categories

  • AWS
  • containers
  • Internet Security and Safety
  • IS Audit
  • IT Security Exams
  • Network Security Tips
  • Off Track
  • Telecom
  • Tutorial

Pages

  • About
  • Best IT Security Certification Exam
  • CISA IT governance Sample test
  • CISA Sample Test
  • CISSP Sample Test Online
  • Consultancy
  • Contact

Popular Posts

  • 8 Effective Ways to Impro...
  • Yahoo Mail Security Setti...
  • 3 Steps to Install Miniku...
  • How to Setup AWS CloudFro...
  • 3 Simple Steps to Capture...
  • 5 Steps to Setup a Nexus3...
  • How to Configure AAA (TAC...
  • How to Configure SNMP in...
  • How to Install AWS CLI an...
  • How to Renew Self-Signed...

Footer

Copyrights

Protected by Copyscape Duplicate Content Detection Software

Securitywing.com reserves the copyrights of all of its published articles.No contents of this site is permitted to be published to anywhere else in the Internet.If any contents are found in any other websites, securitywing reserves the rights to file a DMCA complaint. But you have the right to use the link of any relevant article of this site to point from your website if you consider that it might improve the quality of your article.

Tags

antivirus audit AWS backup browser check cisco cloud computer cyber data database encryption firewall home hsrp ids informaiton internet intrusion it kubernetes linux load balancing malware network protection putty risk router security security tips server ssh SSL switch tools virus vpn vulnerability web webserver website windows wordpress

Copyright © 2010-2023 ·All Rights Reserved · SecurityWing.com