L2L Example

To help you better understand the setup of an L2L connection, I will show you an example. This example uses the network in Figure 19-2 for this L2L connection. In this example, two sites need to connect across the Internet using an IPSec L2L connection between two perimeter routers.

Figure 19-2. L2L Example

[View full size image]
graphics/19fig02.gif


For this example, the IPSec policies are as follows:

  • Peers? 192.1.1.1 and 200.1.1.1

  • ISAKMP/IKE policy? 3DES for encryption, SHA for packet authentication, DH group 2 keys, lifetime of 1 hour

  • Protected traffic? Anything between 192.168.1.0/24 and 192.168.2.0/24

  • Connection method? Tunnel

  • Data transforms? ESP 3DES encryption and ESP SHA packet authentication

Example 19-15 shows RouterA's configuration.

Example 19-15. RouterA's L2L Configuration

RouterA(config)# access-list 100 permit udp host 200.1.1.1        (1)

  host 192.1.1.1 eq isakmp

RouterA(config)# access-list 100 permit esp host 200.1.1.1

  host 192.1.1.1

RouterA(config)# remark <--include other ACL statements for

  ACL 100-->

RouterA(config)# crypto isakmp policy 10                          (2)

RouterA(config-isakmp)# authentication pre-share

RouterA(config-isakmp)# encryption 3des

RouterA(config-isakmp)# group 2

RouterA(config-isakmp)# lifetime 3600

RouterA(config-isakmp)# exit

RouterA(config)# crypto isakmp key 123RouterL2L address 200.1.1.1 (3)

RouterA(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255  (4)

  192.168.2.0 0.0.0.255

RouterA(config)# crypto ipsec transform-set RouterBtransform      (5)

  esp-sha-hmac esp-3des

RouterA(config)# crypto map IPSECMAP 100 ipsec-isakmp             (6)

RouterA(config-crypto-map)# match address 101

RouterA(config-crypto-map)# set peer 200.1.1.1

RouterA(config-crypto-map)# set transform-set RouterBtransform

RouterA(config-crypto-map)# exit

RouterA(config)# access-list 102 deny ip 192.168.1.0 0.0.0.255    (7)

  192.168.2.0 0.0.0.255

RouterA(config)# access-list 102 permit ip 192.168.1.0 0.0.0.255

  any

RouterA(config)# ip nat inside source list 102                    (8)

  interface Ethernet1 overload

RouterA(config)# interface ethernet0

RouterA(config-if)# ip nat inside

RouterA(config-if)# exit

RouterA(config)# interface ethernet1                              (9)

RouterA(config-if)# ip nat outside

RouterA(config-if)# ip access-group 100 in

RouterA(config-if)# ip address 192.1.1.1

RouterA(config-if)# crypto map IPSECMAP


The following is a brief explanation of RouterA's configuration in Example 19-15, with reference to the numbering on the right side:

  1. This ACL allows ISAKMP/IKE and ESP traffic between the two routers. You obviously need to add many more statements to this ACL, to allow other types of connections.

  2. ISAKMP policy 10 defines the parameters used to secure the IKE Phase 1 management connection.

  3. Because preshared keys are used for identity authentication, the crypto isakmp key command specifies the preshared key; this must match the key value on RouterB.

  4. ACL 101 is the crypto ACL, specifying that traffic between 192.168.1.0/24 and 192.168.2.0/24 should be protected.

  5. The IKE Phase 2 data connections should be protected with ESP with SHA packet authentication and 3DES encryption.

  6. There is only one entry in the crypto map: 100. This entry specifies the traffic to be protected (ACL 101), the remote peer (200.1.1.1), and the transform set to protect the traffic (RouterBtransform).

  7. ACL 102 is used to specify when address translation is to be performed. In this example, it is disabled between 192.168.1.0/24 and 192.168.2.0/24, but it is enabled when 192.168.1.0/24 tries to reach any other Internet destination.

  8. PAT is used for address translation with ACL 102.

  9. On the interface, the protection ACL is applied (100) and the crypto map is activated (IPSECMAP).

Example 19-16 shows RouterB's configuration.

Example 19-16. RouterB's L2L Configuration

RouterB(config)# access-list 100 permit udp host 200.1.1.1

  host 192.1.1.1 eq isakmp

RouterB(config)# access-list 100 permit esp host 200.1.1.1

  host 192.1.1.1

RouterB(config)# remark <--include other ACL statements for

  ACL 100-->

RouterB(config)# crypto isakmp policy 10

RouterB(config-isakmp)# authentication pre-share

RouterB(config-isakmp)# encryption 3des

RouterB(config-isakmp)# group 2

RouterB(config-isakmp)# lifetime 3600

RouterB(config-isakmp)# exit

RouterA(config)# crypto isakmp key 123RouterL2L address 192.1.1.1

RouterB(config)# access-list 101 permit ip 192.168.2.0 0.0.0.255

  192.168.1.0 0.0.0.255

RouterB(config)# crypto ipsec transform-set RouterAtransform

  esp-sha-hmac esp-3des

RouterB(config)# crypto map IPSECMAP 100 ipsec-isakmp

RouterB(config-crypto-map)# match address 101

RouterB(config-crypto-map)# set peer 192.1.1.1

RouterB(config-crypto-map)# set transform-set RouterAtransform

RouterB(config-crypto-map)# exit

RouterA(config)# access-list 102 deny ip 192.168.2.0 0.0.0.255

  192.168.1.0 0.0.0.255

RouterA(config)# access-list 102 permit ip 192.168.2.0 0.0.0.255

  any

RouterA(config)# ip nat inside source list 102

  interface Ethernet1 overload

RouterA(config)# interface ethernet0

RouterA(config-if)# ip nat inside

RouterA(config-if)# exit

RouterB(config)# interface ethernet 1

RouterB(config-if)# ip nat outside

RouterB(config-if)# ip access-group 100 in

RouterB(config-if)# ip address 200.1.1.1

RouterB(config-if)# crypto map IPSECMAP


As you can see from RouterB's configuration, it is very similar to RouterA's.

NOTE

If you have static translations, you need to use route maps and possibly loopback interfaces to resolve address-translation issues with the VPN. An example of this can be found at http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_ example09186a0080094634.shtml.