Configuring IPSec VPN on Cisco IOS

Learn how to configure a secure IPSec VPN tunnel on a Cisco IOS router. This approach is typically used for site-to-site VPN tunnels that appear as virtual wide area network connections that replace more expensive frame relay or MPLS circuits. The companion template will help you rapidly configure IPSec tunnels on Cisco IOS devices

Site-to-site VPN tunnels offer a cheaper and often faster alternative to frame relay or even MPLS WAN (wide area network) connections.  Site-to-site VPN tunnels have no monthly carrier charges and require only an Internet connection, which can be DSL or broadband cable--relatively cheap compared to frame relay or even MPLS.  Business-class static-IP DSL or cable connections under $100 a month can be used, and that's the scenario we will be covering in this article and template.  We'll assume you have the basic router working and connected to the Internet.  If you're not familiar with the basic setup of a Cisco router, this article on configuring the Cisco 851W and 871W can help.


You can use even cheaper dynamic IP ADSL or cable service on one end of the connection so long as the other end is on a static IP address, but we'll leave that scenario for a future article.


Hardware and software requirements

All the Cisco routers from the 800 to 7600 series support IPSec with the proper software package.  If you have one of the older 1700, 2600, 3600, or 7200 Cisco routers with an IPSec licensing, you may use it as well.  However, those routers are near the end of life, and you'll be paying a fortune for the annual support contracts for 2600 and above routers compared to the cost of a new, inexpensive 1841 with all the newer features out of the box.

The newer 1841 router actually has faster IPSec throughput than an old 3600 series router and is less expensive than a single year's worth of Cisco SmartNet support on that old 3600 router.  You'll save even more money on future support if you go with the newer, smaller, and cheaper router.  If you have to purchase an IOS upgrade for an older router, just forget it. It's just as cheap to buy a new router.

With Cisco's older IOS packaging, you had to pick the package with the feature set you needed. The new packaging has been simplified.  Anything with the Advanced Security feature set and above will have IPSec VPN and IOS firewall capability (a detailed breakdown of Cisco IOS can be found here).  Most of the newer, smaller routers, like the 1800 and 2800 series routers, come with a minimum of the Advanced Security feature set, so you're ready to go out of the box.


How IPSec works on a Cisco router

Figure A offers a simplified view of how IPSec works on a Cisco router.  Two routers set up a virtual IPSec tunnel between each other using common algorithms and parameters.  Red traffic is traffic flowing through the router that's meant to go to the Internet and not through the VPN tunnel.  Green traffic is meant to go from one site to the other through the IPSec VPN tunnel.

Figure A


It's important to understand the flow of this process where data enters the router and goes to the external interface because of default gateway routing.  Once that data hits the external interface, it checks the source, destination, and service of that traffic to determine whether it needs to go into the crypto map.  The crypto map shown in Figure A uses an Extended ACL called "Crypto-list".  You'll see this Extended ACL used in our IPSec template.


The IPSec template for Cisco IOS

To get started with our IPSec template, you'll need to download it from here.  Once you download the Excel file, you need to fill out the yellow section on the Variables sheet.  Click the Replace button and it will generate the appropriate IPSec configuration on a new sheet called IPSEC-1.  Once completed, you'll just need to copy and paste the configuration from Excel into the Cisco CLI (command line interface).  You can copy straight from Excel into a telnet or SSH session or even the console port.