The purpose of this short tutorial is to show you how to configure a IPSEC VPN tunnel between two Cisco routers using a pre-shared key. For the purposes of the article the hardware used was two Cisco 3600 (12.3(14)) routers.
Initial setup
I am starting from the point where I already have a two working routers that can ping each other. R1 has an IP address of 192.168.0.1 and R2 has an IP address of 172.16.0.2. R1 can ping R2 and vice verse This is our base starting point.
Create loopback interfaces for testing purposes
For simplicity we are going to add a loopback on R1 with the IP address 10.0.0.1/24 and a loopback on R2 with the IP address 10.255.0.1/24. This will provide a subnet at either end of the VPN tunnel we can use to test with.
So firstly on R1 we have -:
interface Loopback0 ip address 10.0.0.1 255.255.255.0
And on R2 we have -:
interface Loopback0 ip address 10.255.0.1 255.255.255.0
Note at this point R1 cannot ping 10.255.0.1 and R2 cannot ping 10.0.0.1. Neither router should have routes for these networks, we will be providing connectivity between these networks using the VPN tunnel.
Configure the IPSEC VPN tunnel on both routers
The first thing to configure on both routers is the ISAKMP policy, this has to be identical on both routers -:
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 7200
Next we need to specify the pre-shared key on both routers, on R1 we would have -:
crypto isakmp key SUPERSECRETKEY address 172.16.0.2
And on R2 -:
crypto isakmp key SUPERSECRETKEY address 192.168.0.1
Now we need to specify the association lifetime and the transform set for the tunnel, so on both R1 and R2 we would have -:
crypto ipsec security-association lifetime seconds 1800 crypto ipsec transform-set t1 esp-3des esp-md5-hmac
The next thing to do on both routers is to set-up the crypto map, so on R1 we would have -:
crypto map m1 110 ipsec-isakmp set peer 172.16.0.2 set transform-set t1 match address 111
And on R2, we would have -:
crypto map m1 110 ipsec-isakmp set peer 192.168.0.1 set transform-set t1 match address 111
Note that the crypto map has a match address line, this specifies an access-list on the router that will identify interesting traffic, this interesting traffic will then be pushed through the VPN tunnel. So let’s configure this access-list, on R1 -:
access-list 111 permit ip 10.0.0.0 0.0.0.255 10.255.0.0 0.0.0.255
And on R2 -:
access-list 111 permit ip 10.255.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Now the last thing to do is to apply the crypto map to the interface on both R1 and R2, so on both routers we would do -:
interface Ethernet0/1 crypto map m1
That is it, the VPN tunnel is configured and should work.
Test the tunnel
To test the tunnel we want to ping R2′s loopback interface (10.255.0.1) from R1′s loopback interface.
R1#ping ip 10.255.0.1 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.255.0.1, timeout is 2 seconds: Packet sent with a source address of 10.0.0.1 ...!! Success rate is 40 percent (2/5), round-trip min/avg/max = 96/176/256 ms