Configuring a Site-to-site Vpn Between Two Cisco Routers 

 
Copyright (c) 2008 Don R. Crawley

A site-to-site virtual private network (VPN) allows you to nourish a secure "always-on" connection between two physically separate sites using an existing non-secure network such as the public Internet. Traffic among the two sites is transmitted over an encrypted tunnel to prevent snooping alternatively other types of data bombards.

This configuration requires one IOS software image namely aids cryptography. The one used in the instances is c870-advipservicesk9-mz.124-15.T6.bin.

There are several protocols used in creating the VPN including protocols used for a key exchange between the peers, those used to encrypt the tunnel, and hashing technologies which generate message digests.

VPN Protocols

IPSec: Internet Protocol Security (IPSec) is a suite of protocols that are used to secure IP communications. IPSec involves either key exchanges and tunnel encryption. You tin muse of IPSec as a framework for implementing security. When creating an IPSec VPN, you can choose from a kind of security technologies to implement the tunnel.

ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides a method for authenticating the peers in a secure communication. It typically uses Internet Key Exchange (IKE), but other technologies can also be used. Public keys or a pre-shared key are used to authenticate the parties to the communication.

MD5: Message-Digest algorithm 5 (MD5) is an constantly used, but partially insecure cryptographic hash feature with a 128-bit hash amount. A cryptographic hash function is a access of taking an overbearing stop of data and returning a fixed-size bit string, the hash worth based on the native block of data. The hashing process is designed so that a alteration to the data will also change the hash value. The hash value is also shrieked the information digest.

SHA: Secure Hash Algorithm (SHA) is a set of cryptographic hash functions designed by the National Security Agency (NSA). The three SHA algorithms are structured differently and are discriminated as SHA-0,SHA-1, and SHA-2. SHA-1 is a usually used hashing algorithm with a standard key length of 160 bits.

ESP: Encapsulating Security Payload (ESP) is a membership of the IPsec protocol suite that provides origin authenticity, integrity,nfl jersey sale, and confidentiality conservation of packets. ESP too supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure. Unlike the additional IPsec protocol, Authentication Header (AH), ESP does no defend the IP parcel header. This inconsistency makes ESP preferred because use in a Network Address Translation configuration. ESP operates directly above top of IP, using IP protocol digit 50.

DES: The Data Encryption Standard (DES) provides 56-bit encryption. It is not longer considered a secure protocol because its short key-length makes it vulnerable to brute-force attacks.

3DES: Three DES was designed to conquer the constraints and weaknesses of DES at using three another 56-bit keys in a encrypting, decrypting, and re-encrypting operation. 3DES keys are 168 bits in width. When using 3DES, the data is 1st encrypted with one 56-bit opener, then decrypted with a different 56-bit key, the output of which namely then re-encrypted with a third 56-bit key.

AES: The Advanced Encryption Standard (AES) was designed as a replacement for DES and 3DES. It is accessible in altering key lengths and is generally considered to be almost 6 periods faster than 3DES.

HMAC: The Hashing Message Authentication Code (HMAC) is a type of message authentication code (MAC). HMAC is calculated using a specific algorithm involving a cryptographic hash function in fusion with a secluded key.

Configuring a Site-to-Site VPN

The process of configuring a site-to-site VPN involves several steps:

Phase One configuration involves configuring the key exchange. This process uses ISAKMP to identify the hashing algorithm and authentication method. It is also one of two locations where you must nail the peer at the inverse end of the tunnel. In this example, we chose SHA as the hashing algorithm due to its extra lusty ecology,Larry Fitzgerald Jerseys, including its 160-bit key. The key "vpnkey" must be alike on both ends of the tunnel. The address "192.168.16.105" is the appearance interface of the router at the opposite end of the tunnel.

Sample phase one configuration:
tukwila(config)#crypto isakmp policy 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105

Phase Two configuration involves configuring the encrypted tunnel. In Phase Two configuration, you create and appoint a become set which identifies the encrypting protocols used to create the secure tunnel. You must also create a crypto map in which you identify the peer at the opposite end of the tunnel, specify the transform-set to be used, and clarify which access control list will identify permitted traffic streams. In this example,tods on sale, we chose AES due to its accentuated security and improved extravaganza. The statement "set peer 192.168.16.25" identifies the outside interface of the router at the opposite end of the tunnel. The expression "set transform-set vpnset" tells the router to use the parameters specified in the transform-set vpnset in this tunnel. The "mate address 100" statement is used to companion the tunnel with access-list 100 which will be defined afterward.

Sample phase two configuration:
tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
% NOTE: This new crypto chart ambition remain disabled until a peer
and a legal access list have been configured.
tukwila(config-crypto-map)#set peer 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match address 100

The crypto map must be applied to your outside interface (in this example, interface FastEthernet 4):

tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset

You must build an way control catalogue to explicitly grant traffic from the router's inside LAN across the tunnel to the other router's inside LAN (in this example, the router tukwila's inside LAN network address is 10.10.10.0/24 and the other router's inside LAN network address is 10.20.0.0/24):

tukwila(config)#access-list 100 allow ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255

(For more message about the grammar of access-control lists, watch my other treatises on creating and managing Cisco router access-control lists.)

You must also create a default doorway (also known as the "gateway of final resort"). In this example, the default doorway is by 192.168.16.1:

tukwila(config)#ip path 0.0.0.0 0.0.0.0 192.168.16.1

Verifying VPN Connections

The emulating two commands can be used to validate VPN connections:

Router#show crypto ipsec sa
This command displays the settings used by the current Security Associations (SAs).

Router#show crypto isakmp sa
This directive exhibits present IKE Security Associations.

Troubleshooting VPN Connections

After confirming physical connectivity,New England Patriots Jerseys, audit both ends of the VPN connection to assure they mirror every other.

Use debugging to examine VPN connection difficulties:

Router#debug crypto isakmp
This command allows you to scrutinize Phase 1 ISAKMP negotiations.

Router#debug crypto ipsec
This command allows you to observe Phase 2 IPSec negotiations.
A third jersey or alternate jersey is a sports team's alternate and/or throwback design for the previously established other two jerseys, the home and away outfits. Alternate jerseys are used in all four of the North American major professional sports leagues as well as college sports, semipro leagues, and other sports leagues throughout the world. www.cheapjerseysales.com,Tory Burch (born June 17, 1966; née Robinson) is an American fashion designer, business woman, mother of three, wife (now divorced), and philanthropist who was born, raised and educated in the Philadelphia metropolitan area.www.cheaptoryburchs.com,Tod's Group is an Italian company which produces shoes and other leather goods, and is presided over by businessman Diego Della Valle. It is most famous for its driving shoes.www.cheaptodssale.com 
 
tory bruch LoadRunner Sharing Your Work Load_11386
Alabama Crimson Tide Jerseys A-line Strapless Sash
tory burch wedges sophie Casinos Of Goa_4874