Site-to-site VPN tunnels offer a cheaper and often faster alternative to
frame relay or even MPLS WAN (wide area network) connections. Site-to-site
VPN tunnels have no monthly carrier charges and require only an Internet
connection, which can be DSL or broadband cable–relatively cheap
compared to frame relay or even MPLS. Business-class static-IP DSL or
cable connections under $100 a month can be used, and that’s the scenario we
will be covering in this article and template. We’ll assume you have the basic router working and connected to the Internet. If
you’re not familiar with the basic setup of a Cisco router, this
configuring the Cisco 851W and 871W can help.
You can use even cheaper dynamic IP ADSL or cable service on one end of the connection so long as the other end is on a static IP address, but we’ll leave that scenario for a future article.
Hardware and software requirements
All the Cisco routers from the 800 to 7600 series support IPSec with the
proper software package. If you have one of the older 1700, 2600, 3600, or
7200 Cisco routers with an IPSec licensing, you may use it as well.
However, those routers are near the end of life, and you’ll be paying a
fortune for the annual support contracts for 2600 and above routers compared to
the cost of a new, inexpensive 1841 with all the newer features out of the box.
The newer 1841 router actually has faster IPSec throughput than an old 3600
series router and is less expensive than a single year’s worth of Cisco SmartNet
support on that old 3600 router. You’ll save even more money on future
support if you go with the newer, smaller, and cheaper router. If you have
to purchase an IOS upgrade for an older router, just forget it. It’s just
as cheap to buy a new router.
With Cisco’s older IOS packaging, you had to pick the package with the
feature set you needed. The new packaging has been simplified.
Anything with the Advanced Security feature set and above will have IPSec VPN
and IOS firewall capability (a detailed breakdown of Cisco IOS can be
found here). Most of the newer, smaller routers, like the 1800 and 2800
series routers, come with a minimum of the Advanced Security feature set, so
you’re ready to go out of the box.
How IPSec works on a Cisco router
Figure A offers a simplified view of how IPSec works on a Cisco router.
Two routers set up a virtual IPSec tunnel between each other using common
algorithms and parameters. Red traffic is traffic flowing through the
router that’s meant to go to the Internet and not through the VPN tunnel.
Green traffic is meant to go from one site to the other through the IPSec VPN
It’s important to understand the flow of this process where data enters the
router and goes to the external interface because of default gateway routing.
Once that data hits the external interface, it checks the source, destination,
and service of that traffic to determine whether it needs to go into the crypto map. The crypto map shown in Figure A uses an Extended ACL called “Crypto-list”. You’ll see this Extended ACL
used in our IPSec template.
The IPSec template for Cisco IOS
To get started with our IPSec template, you’ll need to
download it from here. Once you download
the Excel file, you need to fill out the yellow section on the
Variables sheet. Click the Replace button and it will generate the
appropriate IPSec configuration on a new sheet called IPSEC-1. Once
completed, you’ll just need to copy and paste the configuration from Excel into the
Cisco CLI (command line interface). You can copy straight from Excel into
a telnet or SSH session or even the console port.