Setting up Site-to-site IPSEC on Cisco Packet Tracer
IPSec (Interet Protocol Security) is a VPN technology at the network layer. If you have used a VPN in your life, it was based on IPSec for sure. IPSec can be set up in two ways:
- Transport Mode — End-to-end security
- Tunnel Mode — Site-to-site security
Take a company which has two branches- one in Dubai and the other in Islamabad. There is an HTTPS server in Islamabad that the employees at the Dubai branch need to connect to often. However, the information on that server is strictly confidential. We need to ensure that noone can make sense of our traffic even if they manage to sniff it.
For this, we can use an IPSec protocol called ESP (Encapsulating Security Payload). This will not only provide encryption but also authentication. Let’s design our network in Packet Tracer.
Let’s move on and start creating this topology…
Setting up our network
For this tutorial, I will be assuming that you know the basics of using Cisco Packet Tracer.
Dubai Router
int g0/0
ip add 200.169.1.1 255.255.255.252
no shut
int g0/1
ip add 10.10.0.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 200.169.1.2Islamabad Router
int g0/0
ip add 200.169.2.1 255.255.255.252
no shut
int g0/1
ip add 10.10.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 200.169.2.2Internet Router
int g0/0
ip add 200.169.1.2 255.255.255.252
no shut
int g0/1
ip add 200.169.2.2 255.255.255.252
no shutWe will also set up static IP addresses for each PC and server according to the topology diagram above. Once we’re done setting up our network, we can get towards securing it.
First things first, we need to set up security licenses on both gateway routers.
license boot module c1900 technology-package securityk9For setting up IPSec, we will be following a sequence of 4 steps:
- Setting up access lists
- Setting up ISAKMP policy and a pre-shared key
- Setting up IPSec transformation sets
- Setting up IPSec map and assigning it to the WAN interface
Setting up access lists
The access lists will tell IPSec about the source network and destination network to work on.
Dubai
access-list 100 permit ip 10.10.0.0 0.0.0.255 10.10.1.0 0.0.0.255Islamabad
access-list 100 permit ip 10.10.1.0 0.0.0.255 10.10.0.0 0.0.0.255Setting up ISAKMP Policy and pre-shared key
Next, we set up our ISAKMP policy and preset a symmetric key for encrypted communication. We will set up Diffie-Hellman for perfect secrecy and AES-256 for encryption, with ‘secret123’ being our key.
Dubai
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
crypto isakmp key secret123 address 200.169.2.1Islamabad
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
crypto isakmp key secret123 address 200.169.1.1Setting up IPSec transformation sets
Then we set up IPSEC transformation sets where we specify the use of ESP (Encapsulated Security Payload) using AES-256 for encryption, SHA for integrity and HMAC for authentication.
Dubai
crypto ipsec transform-set dxb->isb esp-aes 256 esp-sha-hmacIslamabad
crypto ipsec transform-set isb->dxb esp-aes 256 esp-sha-hmacSetting up IPSec map and assigning it to the WAN interface
Finally, we need to set up an IPSEC map to tie everything together. The IPSEC map will include the source WAN address, the time limit of the security association, the transformation set and the access list. After creating the crypto map, we finally assign it to the WAN interface on both site routers and our IPSEC tunnel is created successfully.
Dubai
crypto map VPN-MAP 10 ipsec-isakmp
set peer 200.169.2.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set dxb->isb
match address 100
int g0/0
crypto map VPN-MAPIslamabad
crypto map VPN-MAP 10 ipsec-isakmp
set peer 200.169.1.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set isb->dxb
match address 100
int g0/0
crypto map VPN-MAPNow that were done with IPSec configuration, we can configure our server to run an HTTPS web server.
Setting up HTTPS Server
We can see in the image below that a server exists in Islamabad. We need to configure this server to run an HTTPS web server so that a VPN technology also exists at the application layer.
We can click on the server, go to Services and configure HTTP to be turned off and HTTPS to be turned on.
To confirm that our HTTPS server works, we try visiting it from the browser of one of our PCs in the Dubai branch using the URL:
10.10.1.2 is the IP address of the HTTPS web server in Islamabad. After visiting, we can see the webpage successfully, which means HTTPS and IPSec are both set up properly.
Analyzing IPSec traffic
If we make a request from a PC in Dubai to our HTTPS server, we can examine all the headers in our packet.
First, we open the packet on the Dubai router to confirm that everything is visible including the TCP header where port 443 confirms the use of HTTPS.
However, if we observe the same packet at the Internet router, we can see that the IP payload and TCP payload have both been replaced with an ESP header containing the following fields:
- ESP SPI (Security Parameter Index): Stores the index for the security association
- ESP Sequence: Sequence number for IPSec communication
The other fields tell us that ESP data has been encrypted with AES 256 and is being authenticated with SHA-HMAC. Finally our encrypted payload is attached!
And there we have it- IPSec has been set up successfully. Now, Dubai and Islamabad branches can communicate securely with each other over the public internet!
