In this article I’m going to show you how you can create a VPN connection with RSA keys. We need to take several steps. Although there may be better solutions to create an encrypted tunnel, this one is widely supported on most routers.

For this scenario I use two 7200 series routers in GNS3 v1.

First, you need an RSA key. This is very straightforward. You define an ISAKMP policy with a priority.

R2(config)#crypto isakmp policy ? <1-10000> Priority of protection suite

As you can see priority can be as high as 10,000. The negotiation process for security asociation (SA) phase begins with the lowest priority and goes to the highest.

R2(config)#crypto isakmp policy 10 R2(config-isakmp)#enc R2(config-isakmp)#encryption ? 3des Three key triple DES aes AES - Advanced Encryption Standard. des DES - Data Encryption Standard (56 bit keys). R2(config-isakmp)#encryption aes ? 128 128 bit keys. 192 192 bit keys. 256 256 bit keys. <cr> R2(config-isakmp)#encryption aes 256 R2(config-isakmp)#authentication ? pre-share Pre-Shared Key rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature R2(config-isakmp)#authentication pre R2(config-isakmp)#authentication pre-share ? <cr> R2(config-isakmp)#authentication pre-share R2(config-isakmp)#group ? 1 Diffie-Hellman group 1 (768 bit) 14 Diffie-Hellman group 14 (2048 bit) 15 Diffie-Hellman group 15 (3072 bit) 16 Diffie-Hellman group 16 (4096 bit) 2 Diffie-Hellman group 2 (1024 bit) 5 Diffie-Hellman group 5 (1536 bit) R2(config-isakmp)#group 2

I chose to use 256-bit AES encryption, pre-share authentication key and group 2. The defaults are 56-bit AES, RSA authentication and group 1.

Here is the verification command:

R2(config-isakmp)#do sh crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit

You can adjust other parameters such as lifetime. If you reduce the lifetime, you will increase security but of course you put more workload on CPU.

No I define the key (for I used pre-shared option):

R2(config)#crypto isakmp key VPNTUNNELPASSWORD address 10.10.12.1 no-xauth R2(config)#crypto isak identity hostname

This is the IP address of the peer router (in my case, R1). I disabled Extended Athentication(XAuth) deliberately using no-xauth option since I have a router on the other side. Of course I need the other router use its hostname.

Here is the verification command:

R2(config)#do sh crypto isakmp key Keyring Hostname/Address Preshared Key default 10.10.12.1 VPNTUNNELPASSWORD

ISAKMP configuration is done. I’d like to add a transform set for VPN tunnel I’m about to create so that IPSes will know what to do with matched data.

R2(config)#$ transform-set IPSEC_TUNNEL_TRANSFORM ah-sha-hmac esp-aes 256 R2(cfg-crypto-trans)#mode ? transport transport (payload encapsulation) mode tunnel tunnel (datagram encapsulation) mode R2(cfg-crypto-trans)#mode transport

As you can see I have chosen Authentication Header(AH) for authentication and Encapsulating Security Payload (ESP) for encapsulation. Also I did not use tunnel mode (that is the default mode). This means I’m not interested in using IPinIP mode and a GRE tunnel is going to be used between the routers.

Now I need a crypto map for IPSec connections that use ISAKMP.

R2(config)#crypto map IPSEC_TUNNEL 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)#set peer 10.10.12.1 R2(config-crypto-map)#set transform-set IPSEC_TUNNEL_TRANSFORM R2(config-crypto-map)#match address 100 R2(config-crypto-map)#exit R2(config)# R2(config)#access-list 100 permit gre host 10.10.12.2 host 10.10.12.1

The access-list matches GRE traffic between these two routers. And now here is the tunnel configuration:

R2(config)#int tunn12 R2(config-if)#ip add 12.12.12.1 255.255.255.0 R2(config-if)#tunn sour f0/0 R2(config-if)#tunn dest 10.10.12.1 R2(config-if)#ip add 12.12.12.1 255.255.255.0 R2(config-if)#ip add 12.12.12.2 255.255.255.0 R2(config-if)# R2(config-if)# R2(config-if)#int f0/0 R2(config-if)#crypto map IPSEC_TUNNEL R2(config-if)# *May 31 19:49:54.239: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Why did I apply the crypto map to the interfac and not to the tunnel?

I wanted to make sure anything goes through GRE tunnel is encrypted. Otherwise, only the payload of GRE packets would be encrypted and also this encryption did not apply to packets that were originated on other devices.

You can apply an access-list to the interface as firewall rules to stop the interface from accepting non-VPN packets.

R2(config)#access-list 101 permit gre host 10.10.12.2 host 10.10.12.1 R2(config)#access-list 101 permit esp host 10.10.12.2 host 10.10.12.1 R2(config)#access-list 101 permit udp host 10.10.12.2 host 10.10.12.1 eq isakmp R2(config)#access-list 101 permit ahp host 10.10.12.2 host 10.10.12.1 R2(config)#access-list 101 permit eigrp any any R2(config)#access-list 101 deny ip any any R2(config-if)#int f0/0 R2(config-if)#ip access-gr 101 in

I added eigrp since I wanted to let routing protocol have an adjacency. Here are the verification command:

R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.10.12.2 10.10.12.1 MM_NO_STATE 0 ACTIVE 10.10.12.2 10.10.12.1 MM_NO_STATE 0 ACTIVE (deleted) IPv6 Crypto ISAKMP SA

And as traffic goes through the tunnel you see encrypted packets:

R2#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 3 FastEthernet0/0 10.10.12.1 set HMAC_SHA+AES_256_C 0 0 2000 FastEthernet0/0 10.10.12.1 set HMAC_SHA 0 263 2001 FastEthernet0/0 10.10.12.1 set HMAC_SHA 155 0 2002 FastEthernet0/0 10.10.12.1 set AES_256_CBC 0 95 2003 FastEthernet0/0 10.10.12.1 set AES_256_CBC 112 0