Networking

Configuring IPSec VPN on Cisco IOS

Learn how to configure a secure IPSec VPN tunnel on a Cisco IOS router. This approach is typically used for site-to-site VPN tunnels that appear as virtual wide area network connections that replace more expensive frame relay or MPLS circuits. The companion template will help you rapidly configure IPSec tunnels on Cisco IOS devices

Site-to-site VPN tunnels offer a cheaper and often faster alternative to frame relay or even MPLS WAN (wide area network) connections.  Site-to-site VPN tunnels have no monthly carrier charges and require only an Internet connection, which can be DSL or broadband cable--relatively cheap compared to frame relay or even MPLS.  Business-class static-IP DSL or cable connections under $100 a month can be used, and that's the scenario we will be covering in this article and template.  We'll assume you have the basic router working and connected to the Internet.  If you're not familiar with the basic setup of a Cisco router, this article on configuring the Cisco 851W and 871W can help.


Note

You can use even cheaper dynamic IP ADSL or cable service on one end of the connection so long as the other end is on a static IP address, but we'll leave that scenario for a future article.


 

Hardware and software requirements

All the Cisco routers from the 800 to 7600 series support IPSec with the proper software package.  If you have one of the older 1700, 2600, 3600, or 7200 Cisco routers with an IPSec licensing, you may use it as well.  However, those routers are near the end of life, and you'll be paying a fortune for the annual support contracts for 2600 and above routers compared to the cost of a new, inexpensive 1841 with all the newer features out of the box.

The newer 1841 router actually has faster IPSec throughput than an old 3600 series router and is less expensive than a single year's worth of Cisco SmartNet support on that old 3600 router.  You'll save even more money on future support if you go with the newer, smaller, and cheaper router.  If you have to purchase an IOS upgrade for an older router, just forget it. It's just as cheap to buy a new router.

With Cisco's older IOS packaging, you had to pick the package with the feature set you needed. The new packaging has been simplified.  Anything with the Advanced Security feature set and above will have IPSec VPN and IOS firewall capability (a detailed breakdown of Cisco IOS can be found here).  Most of the newer, smaller routers, like the 1800 and 2800 series routers, come with a minimum of the Advanced Security feature set, so you're ready to go out of the box.

 

How IPSec works on a Cisco router

Figure A offers a simplified view of how IPSec works on a Cisco router.  Two routers set up a virtual IPSec tunnel between each other using common algorithms and parameters.  Red traffic is traffic flowing through the router that's meant to go to the Internet and not through the VPN tunnel.  Green traffic is meant to go from one site to the other through the IPSec VPN tunnel.

Figure A

 

It's important to understand the flow of this process where data enters the router and goes to the external interface because of default gateway routing.  Once that data hits the external interface, it checks the source, destination, and service of that traffic to determine whether it needs to go into the crypto map.  The crypto map shown in Figure A uses an Extended ACL called "Crypto-list".  You'll see this Extended ACL used in our IPSec template.

 

The IPSec template for Cisco IOS

To get started with our IPSec template, you'll need to download it from here.  Once you download the Excel file, you need to fill out the yellow section on the Variables sheet.  Click the Replace button and it will generate the appropriate IPSec configuration on a new sheet called IPSEC-1.  Once completed, you'll just need to copy and paste the configuration from Excel into the Cisco CLI (command line interface).  You can copy straight from Excel into a telnet or SSH session or even the console port.

25 comments
tfigueiredo
tfigueiredo

This article is no longer any good, the link to the IPsec template is broken and now points you to a QOS template, totally useless. Find your information elsewhere!

emanuelevacca
emanuelevacca

i followed this sample, but hosts at both ends can't ping each other. the only commands i added to configuration, is the setting up of interfaces address. may be do i have to create tunnels interfaces? do i miss something?

alfianfms
alfianfms

definitely a very good tool. it would be great if you can include NAT as it used in my environment when configuring VPN.

thonglv_it
thonglv_it

I did follow the companion, but when chose the yearlow section, i can't use the Replace button. Pls tell me how to overcome. Thanks!

bhaskar.boruah
bhaskar.boruah

VPN provides the IP to the Clients But they are not able to communicate with my Local area network. A huge problem is occour because my exchange is not connected to the VPN users.

kbardarov
kbardarov

It's cool!! Simple and enough to config Cisco!

morfina08
morfina08

hi...can provide full example of ipsec configuration?thanks

Kamonye
Kamonye

I have tried this out, first on simulator though ...

dchikakuda
dchikakuda

this is nice and iam looking forward to receiving mre of this.

ishibaev
ishibaev

When client successfully connect via cisco VPN client into our network from other outside network (via cisco router 871), it receive correct network parameters except gateway... also - connected client can't see anything in our network: can't ping any address inside... Where the problem can be?

ben_pillet
ben_pillet

The "download it here" link doesn't seem to work anymore. Where can I get a copy of the Excel spreadsheet? Thanks a bunch!

jschoenstein
jschoenstein

ok, to add complexity to this: Site A has static IPs and nat'ed servers Site B has dynamic IPs and another server that needs to be nat'ed from Site A's block of IPs. I can see where traffic destined to the server at Site B reaches there, but how to get it back across the VPN and not out the split tunnel at site B?

aussiecoder
aussiecoder

This spreadsheet seems to create the commands for one of the two routers. What has to be done on the router at the other end ?

amann
amann

Could not find anything at this dl. link. Sucks

sachin.p.sonawane
sachin.p.sonawane

Currently in AARGEE SYSTEMS as an (HP Compaq)Desktop support engneer& Posted as a resadencial engineer for Infosys Technologies Pune from last three months.

gmchenry
gmchenry

You need to drop the macro security level down. It's set too high by default for most macros to run.

Etienne.Letchiendjio
Etienne.Letchiendjio

Please send me the configuration ,i ll like to have a look on it because i m facing the same problem

jschein
jschein

Exactly the opposite of the original... Change the IP Address. Everything else is the same. In other words, to make is simple "S", change the ip address and click replace again. There is your end router config for the tunnel.

georgeou
georgeou

The link is in the article, but send me a private note and I'll email you the link.

ddavis
ddavis

Very Cool stuff George, Thanks! -David

nbmanoj
nbmanoj

I would like to know in depth about the working of IPSec VPN, whole about it.....how the authenthication , encryption and creation of the tunnel is happening.

sganesan
sganesan

Hi, I downloaded the excel sheet.But I am not able to generate the code for the ios.

cliiff
cliiff

me either it doesnt work

Editor's Picks