Site-To-Site VPN via CCP

security-gallery-01258I have ran through before on how to create a site-to-site VPN with Cisco SDM which sounds like a repeat but I thought why not bring CCP into light and since I’m studying the newly created CCNA Security (640-554) I figured let’s create a tutorial on it. In this lab I am going to post the running-config of both locations so you can either run it through Packet Tracer or live equipment if you wish. I am running two Cisco 2811s with Advanced Security Version 12.4(24)T8. Let’s do it!

Take a look at my setup, I am running in the RFC 1918 range on a closed track and “technically” have a third router in the middle just to route between the two serial interfaces to “simulate” the internet. Branch-1 does not know about the LAN on Branch-2, and Branch-2 does not know about the LAN on Branch-1. Our task is to configure a Site-To-Site VPN between the two remote Branch offices to be able reach the remote LANs.

Branch-1-and-Branch-2

Before we jump right into it here is the running-config of both Branch routers before a VPN is setup so you can walk through this yourself.

####################################################################
## START OF RUNNING-CONFIG FOR BRANCH-1 AND BRANCH-2 ##
####################################################################
## START OF CONFIGURATION OF BRANCH-1 ##
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BRANCH-1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.40.0 192.168.40.5
!
ip dhcp pool DHCP-40-POOL
   network 192.168.40.0 255.255.255.0
   dns-server 208.67.222.222
   default-router 192.168.40.1
   domain-name BRANCH1.CISCOSKILLS.NET
!
!
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 (MD5 Hashed Password)
archive
 log config
  hidekeys
!
!
!
!
interface FastEthernet0/0
 description LOCAL-LAN
 ip address 192.168.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
!
interface Serial0/0/1
 description CONNECTS-TO-INTERNET
 ip address 192.168.20.10 255.255.255.252
 ip nat outside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 5 interface Serial0/0/1 overload
!
access-list 5 permit 192.168.40.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login local
!
scheduler allocate 20000 1000
end

####################################################################
## END OF CONFIGURATION FOR BRANCH-1 ##
####################################################################
## START OF CONFIGURATION OF BRANCH-2 ##
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BRANCH-2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.50.0 192.168.50.5
!
ip dhcp pool DHCP-50-POOL
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1
   dns-server 208.67.222.222
   domain-name BRANCH2.CISCOSKILLS.NET
!
!
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 (MD5 Hashed Password)
archive
 log config
  hidekeys
!
!
!
!
interface FastEthernet0/0
 description LOCAL-LAN
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
interface Serial0/0/0
 description CONNECTS-TO-INTERNET
 ip address 192.168.20.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no fair-queue
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 5 interface Serial0/0/0 overload
!
access-list 5 permit 192.168.50.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login local
!
scheduler allocate 20000 1000
end

####################################################################
## END OF CONFIGURATION FOR BRANCH-2 ##
####################################################################
## END OF RUNNING-CONFIG FOR BRANCH-1 AND BRANCH-2 ##
####################################################################

So let’ fire up CCP and get started configuring this VPN. Check out my Introduction into CCP which talks about what CCP is and goes through the some of the basics on how to discover devices. So for this example I already have CCP opened on a PC that is on Branch-1’s LAN and have already discovered Branch-1. In CCP I want to create a site-to-site VPN so in order for that to happen I’ll click Configure at the top of the program and expand the Security folder and select Site-To-Site VPN.

CCP-1EOnce we selected the site-to-site VPN option we are presented with a general overview of what a site-to-site VPN is and  its functions. Our task is to create a site-to-site VPN so let us select the tab “Create a Site-To-Site-VPN” and then follow that by selecting “Launch the selected task” button.

CCP-2EA window popup should appear something like picture below, basically giving you two options. The quick setup would probably work as it would generate a lot of default commands and if you have two Cisco routers at each end it along with running the quick setup on both ends, you would probably get a VPN up and running with very little configuration effort on your part. But for this guide I want to walk through the advanced setup and look at all the gears and knobs of a VPN. Let’s continue select next.

CCP-3EThe next couple of options go over the IKE proposals (Internet Key Exchange) which is all about handling the way keys are passed between devices. So we are not even talking about data being passed yet, just ISAKMP. Since we are on Branch-1 we want to select our outside interface which happens to be the (1) serial interface 0/0/1. The next option is selecting who our peer is or where would we like to build a VPN tunnel which in this case its Branch-2 who’s outside address is  (2) 192.168.20.2. The final section is to create a (3) pre-shared Key that must match on both sides. It is best to create long pre-shared key in a production environment but since this is on a closed course I kept it short and simple, select next.

CCP-4ELike mentioned their actually two tunnels being built for this VPN one of them is just the routers to talk amongst themselves to make sure they agree on the keys and secrets and a second one for data traffic to pass through. This IKE default proposal would work if Branch-2 had the same proposal on Branch-2 but let’s create our own. Select Add.

CCP-5EAnother window shows and we are now configuring the IKE Policy, I decided to use (1) AES 256 bit encryption with (2) SHA 1 which is 160 bit hash we are using (3) shared secrets with a (4) Diffie Hellman group 2 and finally with a lifetime of 24 hours which is default. Select OK

CCP-6ENow we can see our other IKE proposal that we created. Select Next.

CCP-7EThe next section is for our IPsec Tunnel which is the tunnel that our data goes through select add to create a transform set, I am going to call this set (1) “BRANCH-TRANS-SET” we are going to (2) check the integrity of data also called ESP. For the (3) Integrity Algorithm will be ESP SHA HMAC and the (4) encryption will be ESP AES 256. Select OK.

CCP-8E-IKEOur Transform Set is created and we could create more if we wanted to. Let’s select next

CCP-9EThis next section is what traffic would we like to protect with our recently IPec tunnel so we type our local LAN because we want to be able access the remote network (Branch-2’s LAN) over our protected tunnel. Select Next.

CCP-10EWe have reached the summary screen which gives us an overview of what will about happen if we decide to deliver these commands by clicking Finish. Let’s see what happens.

CCP-11ESince this is treated like an internet connection I have setup a NAT/PAT rule to translate address to my serial interface on Branch-1. Basically CCP detected this rule and wants to change it. So for this example I will let CCP go ahead and make the change by selecting Yes.

CCP-12EHere is a list commands CCP has generated to make my VPN tunnel a dream come true and is about deliver them. Let’s deliver these commands!

CCP-13EUnfortunately the tunnel is still down because we have to configure the other side which is Branch-2. We want to do the same thing we did on Branch-1 but change our peer to point to 192.168.20.10 (which is Branch-1’s outside address)  Add the same IKE Proposal and Transform-Set as did with Branch-1 onto Branch-2 and finally flip our traffic to protect. For the local network we put Branch-2’s LAN and for the remote we put Branch-1’s LAN. Once both sides are created they won’t come up until that interesting traffic comes along either from Branch-1’s LAN going to Branch-2’s LAN or Branch-2’s LAN going to Branch-1’s LAN. So I have a PC on Branch-2 and to test this tunnel  I am able to ping Branch-1’s FastEthernet Interface (192.168.40.1) from 192.168.50.6 which is my PC.

C:\Documents and Settings\Administrator>ipconfig
Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : BRANCH2.CISCOSKILLS.NET
        IP Address. . . . . . . . . . . . : 192.168.50.6
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.50.1

C:\Documents and Settings\Administrator>ping 192.168.40.1

Pinging 192.168.40.1 with 32 bytes of data:

Reply from 192.168.40.1: bytes=32 time=7ms TTL=254
Reply from 192.168.40.1: bytes=32 time=9ms TTL=254
Reply from 192.168.40.1: bytes=32 time=5ms TTL=254
Reply from 192.168.40.1: bytes=32 time=5ms TTL=254

Ping statistics for 192.168.40.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 9ms, Average = 6ms

C:\Documents and Settings\Administrator>

As we can see I am to ping this connection and that also confirms that the VPN tunnel is up! I hope this tutorial is helpful and below you will find the running-config of both Branch-1 and Branch-2 ‘s configuration of making this VPN work. Remember for a closed track you “technically” need another router in the middle of the branches but don’t advertise the LANs. Go ahead and load it in Packet Tracer and or live equipment and give it shot you might have to reconfigure some settings deepening on your setup and Packet Tracer does not accept all of the commands. Good Luck and comment below if you have questions! I would be happy to answer them 🙂

####################################################################
## START OF RUNNING-CONFIG FOR BRANCH-1 AND BRANCH-2 ##
####################################################################
## START OF CONFIGURATION OF BRANCH-1 ##
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BRANCH-1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
ip dhcp excluded-address 192.168.40.0 192.168.40.5
!
ip dhcp pool DHCP-40-POOL
   network 192.168.40.0 255.255.255.0
   dns-server 208.67.222.222
   default-router 192.168.40.1
   domain-name BRANCH1.CISCOSKILLS.NET
!
!
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 (MD5 Hashed Password)
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.20.2
!
!
crypto ipsec transform-set BRANCH-TRANS-SET esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to192.168.20.2
 set peer 192.168.20.2
 set transform-set BRANCH-TRANS-SET
 match address 100
!
!
interface FastEthernet0/0
 description LOCAL-LAN
 ip address 192.168.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/1
 description CONNECTS-TO-INTERNET
 ip address 192.168.20.10 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0/1 overload
!
access-list 5 remark CCP_ACL Category=16
access-list 5 permit 192.168.40.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.40.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.40.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.40.0 0.0.0.255 any
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login local
!
scheduler allocate 20000 1000
end

####################################################################
## END OF CONFIGURATION FOR BRANCH-1 ##
####################################################################
## START OF CONFIGURATION OF BRANCH-2 ##
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BRANCH-2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.50.0 192.168.50.5
!
ip dhcp pool DHCP-50-POOL
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1
   dns-server 208.67.222.222
   domain-name BRANCH2.CISCOSKILLS.NET
!
!
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 (MD5 Hashed Password)
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.20.10
!
!
crypto ipsec transform-set BRANCH-TRANS-SET esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to192.168.20.10
 set peer 192.168.20.10
 set transform-set BRANCH-TRANS-SET
 match address 100
!
!
interface FastEthernet0/0
 description LOCAL-LAN
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description CONNECTS-TO-INTERNET
 ip address 192.168.20.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no fair-queue
 crypto map SDM_CMAP_1
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0/0 overload
!
access-list 5 remark CCP_ACL Category=16
access-list 5 permit 192.168.50.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.50.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login local
!
scheduler allocate 20000 1000
end

####################################################################
## END OF CONFIGURATION FOR BRANCH-2 ##
####################################################################
## END OF RUNNING-CONFIG FOR BRANCH-1 AND BRANCH-2 ##
####################################################################
Advertisements

One thought on “Site-To-Site VPN via CCP

Comments are closed.