A web page-to-website online virtual private community (VPN) permits you to preserve a secure "always-on" connection between two physically separate websites using an current non-cozy community including the public Internet. Traffic between the 2 sites is transmitted over an encrypted tunnel to prevent snooping or other kinds of statistics attacks.

This configuration calls for an IOS software program picture that supports cryptography. The one used within the examples is c870-advipservicesk9-mz.124-15.T6.Bin.

There are numerous protocols used in developing the VPN together with protocols used for a key trade between the peers, those used to encrypt the tunnel, and hashing technology which produce message digests.

VPN Protocols

IPSec: Internet Protocol Security (IPSec) is a collection of protocols which are used to at ease IP communications. IPSec involves both key exchanges and tunnel encryption. You can think about IPSec as a framework for imposing protection. When developing an IPSec VPN, you could choose from a variety of protection technologies to put into effect the tunnel.

ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides a means for authenticating the peers in a relaxed communique. It usually makes use of Internet Key Exchange (IKE), but different technologies can also be used. Public keys or a pre-shared key are used to authenticate the parties to the verbal exchange.

MD5: Message-Digest algorithm five (MD5) is an often used, however partially insecure cryptographic hash characteristic with a 128-bit hash value. A cryptographic hash characteristic is a manner of taking an arbitrary block of statistics and returning a set-size bit string, the hash price based at the unique block of statistics. The hashing process is designed in order that a exchange to the records may even change the hash value. The hash value is likewise known as the message digest.

SHA: Secure Hash Algorithm (SHA) is a hard and fast of cryptographic hash functions designed by the National Security Agency (NSA). The three SHA algorithms are dependent differently and are outstanding as SHA-zero,SHA-1, and SHA-2. SHA-1 is a usually used hashing algorithm with a general key duration of a hundred and sixty bits.

ESP: Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite that offers beginning authenticity, integrity, and confidentiality safety of packets. ESP also supports encryption-most effective and authentication-handiest configurations, but the use of encryption with out authentication is strongly discouraged due to the fact it is insecure. Unlike the opposite IPsec protocol, Authentication Header (AH), ESP does no longer protect the IP packet header. This difference makes ESP preferred for use in a Network Address Translation configuration. ESP operates without delay on top of IP, the usage of IP protocol wide variety 50.

DES: The Data Encryption Standard (DES) affords 56-bit encryption. It is now not taken into consideration a comfortable protocol due to the fact its short key-period makes it prone to brute-force attacks.

3DES: Three DES turned into designed to overcome the restrictions and weaknesses of DES via the use of 3 exclusive fifty six-bit keys in a encrypting, decrypting, and re-encrypting operation. 3DES keys are 168 bits in length. When the usage of 3DES, the information is first encrypted with one fifty six-bit key, then decrypted with a special fifty six-bit key, the output of which is then re-encrypted with a 3rd 56-bit key.

AES: The Advanced Encryption Standard (AES) was designed as a substitute for DES and 3DES. It is to be had in varying key lengths and is generally taken into consideration to be approximately six times faster than 3DES.

HMAC: The Hashing Message Authentication Code (HMAC) is a kind of message authentication code (MAC). HMAC is calculated the use of a particular set of rules related to a cryptographic hash characteristic in combination with a mystery key.

Configuring a Site-to-Site VPN

The method of configuring a website-to-site VPN includes several steps:

Phase One configuration entails configuring the important thing alternate. This manner makes use of ISAKMP to identify the hashing set of rules and authentication approach. It is likewise one in every of  locations where you should become aware of the peer at the alternative quit of the tunnel. In this example, we chose SHA because the hashing algorithm because of its more strong nature, inclusive of its 160-bit key. The key "vpnkey" ought to be equal on both ends of the tunnel. The cope with "192.168.16.One zero five" is the outside interface of the router at the other cease of the tunnel.

Sample phase one configuration:

tukwila(config)#crypto isakmp policy 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-proportion
tukwila(config-isakmp)#crypto isakmp key vpnkey cope with 192.168.Sixteen.A hundred and five

Phase Two configuration involves configuring the encrypted tunnel. In Phase Two configuration, you create and name a transform set which identifies the encrypting protocols used to create the cozy tunnel. You need to also create a crypto map in which you pick out the peer at the other give up of the tunnel, specify the rework-set to be used, and specify which get right of entry to manage listing will pick out accepted traffic flows. In this situation, we selected AES due to its heightened security and stronger overall performance. The statement "set peer 192.168.16.25" identifies the out of doors interface of the router at the other end of the tunnel. The declaration "set remodel-set vpnset" tells the router to apply the parameters designated inside the remodel-set vpnset on this tunnel. The "fit address 100" assertion is used to associate the tunnel with get right of entry to-list 100 so one can be described later.

Sample segment  configuration:

tukwila(config)#crypto ipsec remodel-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#go out
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
% NOTE: This new crypto map will continue to be disabled till a peer
and a valid get entry to list were configured.
Tukwila(config-crypto-map)#set peer 192.168.Sixteen.105
tukwila(config-crypto-map)#set rework-set vpnset
tukwila(config-crypto-map)#suit cope with 100

The crypto map must be carried out for your out of doors interface (in this situation, interface FastEthernet 4):

tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset

You should create an get right of entry to manage listing to explicitly permit traffic from the router's interior LAN across the tunnel to the opposite router's interior LAN (in this example, the router tukwila's inside LAN network cope with is 10.10.10.0/24 and the other router's inner LAN community cope with is 10.20.Zero.Zero/24):

tukwila(config)#get entry to-listing a hundred permit ip 10.10.10.Zero 0.Zero.Zero.255 10.20.0.0 zero.Zero.Zero.255

(For more facts about the syntax of access-manipulate lists, see my different articles on creating and handling Cisco router get right of entry to-manage lists.)

You should additionally create a default gateway (additionally referred to as the "gateway of closing resort"). In this situation, the default gateway is at 192.168.16.1:

tukwila(config)#ip direction zero.Zero.Zero.0 0.0.Zero.0 192.168.16.1

Verifying VPN Connections

The following  instructions may be used to confirm VPN connections:

Router#show crypto ipsec sa
This command shows the settings utilized by the modern Security Associations (SAs).

Router#display crypto isakmp sa
This command shows modern IKE Security Associations.

Troubleshooting VPN Connections

After confirming bodily connectivity, audit both ends today crypto news of the VPN connection to make sure they mirror each other.

Use debugging to research VPN connection difficulties:

Router#debug crypto isakmp
This command allows you to examine Phase 1 ISAKMP negotiations.

Router#debug crypto ipsec
This command allows you to have a look at Phase 2 IPSec negotiations.