Powered by Blogger.

Virtual Private Network (VPN) – IPsec (Site-to-Site)

You are the Network Administrator at Ranet Branch Office,and have to newly configure the Ranet-Br router to let your own hostconnect to the internet and connect to the hosts in Headquarter ( Site-to-Site IPsec VPN as below:

(configure via console terminal for Ranet-BR router)
1. Enable LAN interface on Ranet-BR and set IP address to be the firstassignable IP of network.
2. Enable WAN interface on Ranet-BR and set IP address to be the lastassignable IP of network.
3. Set IP address on Host-BR to be the last assignable IP of, and set IP of Gateway and DNS server ( also.
4. Config the route and NAT on Ranet-BR to let the Hosts in LAN connect to theinternet (do not forget to exclude the VPN traffic).
(for NAT, use access-list no.100 and pool name “Ranet” that contain the globalIP received from ISP as –
5. Config the Site-to-Site IPsec VPN by using the properties as below:
- For IKE phase I:- Policy Priority 101; Encryption Alg. AES-128 bit; Hash Alg.Secure HAsh standard; Authen method. Pre-Shared Key; Diffie-Hellmangroup #5 and lifetime at 86,400 sec. Use “ranetvpnpass” as key. Please notethat IP address of WAN interface of Ranet-HQ is
- For IKE phase II: Use Transform-set name “Ranet” and ESP transformusing AES with HMAC-SHA as authentication Alg.
- Use crypto map name “Site-to-Site” with sequence no.101 and access-listno.101 to be the VPN traffic.
If everything is correct, Host-BR should be able to open website http://www.ranet.co.th,and test ping with Server-HQ in Headquarter network.

Ranet-BR config
(copy & paste these command below to Ranet-BR router.)
conf t
int fa0/0
no sh
ip add
ip nat inside
int s0/0/0
no sh
ip add
ip nat outside
ip route s0/0/0
access-list 100 deny ip
access-list 100 permit ip any
ip nat pool Ranet netmask
ip nat inside source list 100 pool Ranet overload
crypto isakmp policy 101
encryption aes 128
hash sha
authentication pre-share
group 5
lifetime 86400
crypto isakmp key ranetvpnpass address
access-list 101 permit ip
crypto ipsec transform-set Ranet esp-aes esp-sha-hmac
crypto map Site-to-Site 101 ipsec-isakmp
set peer
set transform-set Ranet
match address 101
int s0/0/0
crypto map Site-to-Site
Ranet-BR#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 101
encryption algorithm: AES – Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Ranet-BR#sh crypto ipsec sa
interface: Serial0/0/0
Crypto map tag: Site-to-Site, local addr
protected vrf: (none)
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.:, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Ranet-BR#copy run start
Destination filename [startup-config]?
Building configuration…
(Desktop > IP Configuration)
IP Address:
Subnet Mask:
Default Gateway:
DNS Server:
( Desktop > Command Prompt)
Packet Tracer PC Command Line 1.0
Pinging with 32 bytes of data:
Request timed out.
Request timed out.
Reply from bytes=32 time=32ms TTL=126
Reply from bytes=32 time=31ms TTL=126
Ping statistics for
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 32ms, Average = 31ms
(Desktop > Web Browser)
URL: http://www.ranet.co.th
Output: RANET Co.,Ltd. – Ranet Co.,Ltd. We make iT easy! :)
———————– The End ———————
 Everything is OK. 

You can view and download this solution here

    Blogger Comment
    Facebook Comment