There may be
occasions when you have offices that are geographically separated. For example,
one office is in Ontario, Canada, and another office is located in Sydney,
Australia. You may also have the need for both offices to share data and
services privately and securely. This can
be achieved by setting up what is known as a site-to-site virtual
private network (VPN) between both locations, using the internet as a medium.
Using a VPN between
both locations provides the simple benefit of being able to access data and
services on your private networks, while encrypting that traffic to preserve
its authenticity as it moves from one location to the other.
There are many other
options available to achieve this result, yet using the omnipresent internet
connection provided by the ISPs in the different geographies provides a more
cost effective solution.
You may use
dedicated firewalls like Cisco ASA 5500s in both locations, or you may use ISRs
or L3 switches that support the VPN functionality. There are several other
solutions available and the ultimate choice will come down to the budget
available. Yes.. money talks!
For this
demonstration we will be using two Cisco 7200 VXR routers. This result can be
achieved on many other router models that are capable of running the advanced
enterprise IOS security feature set (software).
Let's jump in: Both
offices are already in operation with an internet connection provided by the
regional ISP of choice. The edge router is doing NAT (we're still running IPv4…
shocker) so the private PCs and end user devices are able to access the internet.
We will now modify and add some configuration that will create our Site-to-Site
VPN tunnel while still allowing NAT to the respective regional ISPs/internet.
 |
| Ontario and Sydney sites will use the internet as a medium to pass encrypted traffic through a site to site VPN. |
We start off by
creating the NAT configuration. We need to deny NAT/PAT for traffic sourced
from the local network and destined for the far-end network, while allowing
traffic to be NAT'd for regular internet access. We achieve this by using a
route map which matches an ACL.
The rest of the
configuration sets up the IKE phase 1 and phase 2 tunnels that will be used to
encrypt the traffic as it leaves the private network and makes its way onto the
public internet. The destination device at the far end of the VPN tunnel will decrypt
the traffic using the pre-shared key configured.
!!! Create ACL that
will match and deny traffic from local LAN to far-end LAN
!
ip access-list
extended NATACL
deny ip 10.1.100.0
0.0.0.255 10.1.200.0 0.0.0.255
permit ip 10.1.100.0
0.0.0.255 any
!
Exit
!
!
!!! Create Route-Map
that will match previous ACL and used for NAT/PAT
!
route-map
NATROUTEMAP permit 10
match ip address
NATACL
!
exit
!
inter fa0/0
ip nat outside
!
interface fa0/1
ip nat inside
!
!
!!! Enable PAT that
uses the Route-Map as logic
!
ip nat inside source
route-map NATROUTEMAP interface fa0/0 overload
!
!
!!!! Create the IKE
Phase 1 parameters for CE to CE negotiation
!
crypto isakmp policy
10
hash sha
authentication
pre-share
group 5
lifetime 1800
encryption aes 128
!
exit
!
crypto isakmp key
mysecretpasswordkey address x.x.x.x no-xauth
!
!
!!!! Create the ACL
that will be used by IKE Phase 2
!
ip access-list
extended IPSECACL
permit ip 10.1.100.0
0.0.0.255 10.1.200.0 0.0.0.255
!
!
!!! Sets up IKE
phase 2 negotiation parameters
!
crypto ipsec
transform-set ONTARIO_TO_SYDNEY_SET esp-sha-hmac esp-aes 128
crypto map
ONTARIO_TO_SYDNEY_MAP 10 ipsec-isakmp
set peer x.x.x.x
set transform-set
ONTARIO_TO_SYDNEY_SET
set pfs group5
match address
IPSECACL
!
exit
!
!
!!! Applies the
crypto map to the egress interface of the local router
!
interface fa0/0
crypto map
ONTARIO_TO_SYDNEY_MAP
!
exit
!
This configuration
will be mirrored for the SYDNEY CE router with appropriate ACLs and peer IP
configurations for the relative far end traffic and peer.
Once all configurations are in order, each LAN will be able to reach the far end networks using the internet as its medium. And importantly, that traffic will be encrypted!
No comments:
Post a Comment