A site-to-site VPN (Virtual Private Network) establishes a secure connection between two remote networks over the internet, providing encrypted communication and allowing secure data transfer. In this article, we will guide you through the process of configuring a site-to-site VPN between two routers using the example IP addresses 10.10.1.1 and 20.10.1.1. We will provide the necessary commands and a step-by-step configuration to ensure a working setup.

Prerequisites: Before proceeding with the configuration, ensure that you have administrative access to both routers and a basic understanding of their respective command-line interfaces.

Step 1: Configuring Router A (10.10.1.1)

  1. Access Router A’s command-line interface (CLI) using SSH, Telnet, or console cable.
  2. Enter configuration mode: Configuration t 
  3. Create an IPsec Phase 1 policy:

crypto isakmp policy 10
encryption aes
hash sha
authentication pre-share
group 2
lifetime 86400

Configure the IPsec Phase 1 pre-shared key:

crypto isakmp key VPN_KEY address 20.10.1.1

Replace “VPN_KEY” with your desired pre-shared key.

 

Define the interesting traffic to be encrypted:

access-list 100 permit ip 10.10.1.0 0.0.0.255 20.10.1.0 0.0.0.255

Create an IPsec Phase 2 policy:

crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel

Configure the IPsec Phase 2 crypto map:

crypto map VPN_MAP 10 ipsec-isakmp
set peer 20.10.1.1
set transform-set TS
match address 100

Apply the crypto map to the outbound interface:

interface <ROUTER_A_OUTBOUND_INTERFACE>
crypto map VPN_MAP

Replace “<ROUTER_A_OUTBOUND_INTERFACE>” with the appropriate interface (e.g., GigabitEthernet0/0).

Save the configuration:wr

 

Step 2: Configuring Router B (20.10.1.1)

  1. Access Router B’s CLI using SSH, Telnet, or console cable.
  2. Enter configuration mode: configuration t 
  3. Create an IPsec Phase 1 policy:

crypto isakmp policy 10
encryption aes
hash sha
authentication pre-share
group 2
lifetime 86400

Configure the IPsec Phase 1 pre-shared key:

crypto isakmp key VPN_KEY address 10.10.1.1

Replace “VPN_KEY” with the same pre-shared key used on Router A.

Define the interesting traffic to be encrypted:

access-list 100 permit ip 20.10.1.0 0.0.0.255 10.10.1.0 0.0.0.255

Create an IPsec Phase 2 policy:

crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel

Configure the IPsec Phase 2 crypto map:

crypto map VPN_MAP 10 ipsec-isakmp
set peer 10.10.1.1
set transform-set TS
match address 100

Apply the crypto map to the outbound interface:

interface <ROUTER_B_OUTBOUND_INTERFACE>
crypto map VPN_MAP

Replace “<ROUTER_B_OUTBOUND_INTERFACE>” with the appropriate interface.

Save the configuration:wr

 

Conclusion: By following the step-by-step configuration outlined in this article, you can establish a site-to-site VPN between two routers with IP addresses 10.10.1.1 and 20.10.1.1. Remember to replace the placeholder values with the appropriate values specific to your network environment. This secure VPN connection will allow encrypted communication and secure data transfer between the two remote networks, enhancing the overall security and connectivity of your network infrastructure.