Cisco Site-to-Site IPsec VPN Configuration (Step-by-Step)

Описание: In this video, I demonstrate the complete configuration of a Site-to-Site IPsec VPN using Cisco Routers. We cover everything from basic interface settings to advanced security parameters.

What you will learn in this tutorial:

How to enable the SecurityK9 license on Cisco ISR routers.

Configuring EIGRP as the underlying routing protocol.

Setting up ISAKMP (IKE Phase 1) with AES-256 and SHA.

Configuring IPsec Transform-Sets (IKE Phase 2).

Defining "Interesting Traffic" using Access Control Lists (ACL).

Applying the Crypto Map to the WAN interface.

Network Topology:

Router 1 (R1): Local Network 172.16.1.0/24

Router 3 (R3): Local Network 172.16.3.0/24

Encryption: AES-256-bit

Hashing: SHA-1

Key Commands used:

crypto isakmp policy

crypto ipsec transform-set

crypto map

Don't forget to Like and Subscribe if this helped you with your CCNA/Network studies!

#Cisco #VPN #IPsec #Networking #CCNA #NetworkSecurity #CiscoConfiguration

















hostname R-1
license boot module c1900 technology-package securityk9
do wr
reload


interface GigabitEthernet0/1
ip address 172.16.1.1 255.255.255.0
no shut

interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.252
crypto map VPN-MAP
no shut

router eigrp 100
network 172.16.1.0 0.0.0.255
network 10.1.1.0 0.0.0.3

access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255

crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
hash sha
lifetime 70000
exit
crypto isakmp key cisco address 10.2.2.2

crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.2.2.2
set transform-set VPN-SET
match address 101

show crypto isakam sa


ISP

hostname ISP

interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.252
no shut

interface GigabitEthernet0/1
ip address 10.2.2.1 255.255.255.252
no shut

interface GigabitEthernet0/2
ip address 172.16.2.1 255.255.255.0
no shut

router eigrp 100
network 10.1.1.0 0.0.0.3
network 10.2.2.0 0.0.0.3
network 172.16.2.0 0.0.0.255



R-2

hostname R-2

license boot module c1900 technology-package securityk9
do wr
reload

interface GigabitEthernet0/1
ip address 172.16.3.1 255.255.255.0
no shut

interface GigabitEthernet0/0
ip address 10.2.2.2 255.255.255.252
crypto map VPN-MAP
no shut

router eigrp 100
network 172.16.3.0 0.0.0.255
network 10.2.2.0 0.0.0.3

access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
hash sha
lifetime 70000
exit
crypto isakmp key cisco address 10.1.1.1

crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set VPN-SET
match address 101



show crypto isakmp sa — ნახავ, აეწყო თუ არა კავშირი (უნდა ეწეროს QM_IDLE).

show crypto ipsec sa — ნახავ, რამდენი პაკეტი დაიშიფრა (encapsulated) და განიშიფრა (decapsulated).