How to configure Site-to-site IPsec VPN using the Cisco Packet Tracer.

Cisco has made it possible to implement IPsec VPN on Packet Tracer by including security devices among the routers available on the platform. Now you do not need to go through the stress of getting GNS3 and having to download Cisco IOS needed to successfully run it. By selecting the right devices on Packet Tracer and with the right setup, you can successfully
simulate a site-to-site IPsec VPN in five minutes!
In this tutorial, I will share with us on how to accomplish that. You can also request the Packet Tracer file used for this demonstration by dropping your email address in the comment section of this post.

Network topology

site-to-site vpn between cisco and mikrotik routers
Network diagram showing site-to-site ipsec connection

The Cisco 2811 router was used as the Internet router, while the 1841 security router was deployed in Mumbai and Paris offices. We have a https server in Paris that needs to be securely accessed from Mumbai. To make sure that https request from Mumbai to the server in Paris remain secure, we need to set up site-to-site IPsec VPN between Mumbai and Paris.

You may also like: Connecting branch offices to the HQ using GRE tunnels

On Internet router

Router>en
Router#conf t
Router(config)#hostname Internet
Internet(config)#int s0/3/0
Internet(config-if)#clock rate 64000
Internet(config-if)#ip add 10.1.1.1 255.255.255.252
Internet(config-if)#desc connection to Mumbai
Internet(config-if)#no shut
Internet(config-if)#int s0/1/0
Internet(config-if)#clock rate 64000
Internet(config-if)#ip add 20.1.1.1 255.255.255.252
Internet(config-if)#desc connection to Paris
Internet(config-if)#no shut
Internet(config-if)#
Internet(config-if)#exit
Internet(config)#exit
Internet#
Internet#copy run start

On Mumbai router

Router>en
Router#conf t
Router(config)#hostname Mumbai
Mumbai(config)#int s0
Mumbai(config-if)#ip add 10.1.1.2 255.255.255.252
Mumbai(config-if)#desc connection to Internet
Mumbai(config-if)#no shut
Mumbai(config-if)#int f0
Mumbai(config-if)#ip add 192.168.10.1 255.255.255.0
Mumbai(config-if)#desc connection to LAN
Mumbai(config-if)#no shut
Mumbai(config-if)#exit
Mumbai(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1 name to_isp
Mumbai(config)#

On Paris Router

Router>en
Router#conf t
Router(config)#hostname Paris
Paris(config)#int s0
Paris(config-if)#ip add 20.1.1.2 255.255.255.252
Paris(config-if)#desc connection to Internet
Paris(config-if)#no shut
Paris(config-if)#int f0
Paris(config-if)#ip add 192.168.20.1 255.255.255.0
Paris(config-if)#desc connection to LAN
Paris(config-if)#no shut
Paris(config-if)#exit
Paris(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1 name to_isp
Paris(config)#

Next, is VPN configuration on the Mumbai router. First of all, set up an access-list to match the traffics to be allowed through the VPN tunnel.

Mumbai(config)#ip access-list extended VPN

Mumbai(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Mumbai(config-ext-nacl)#exit

Mumbai(config)#

 

Now, configure IPsec VPN to use the access-list named VPN. Authentication mode is pre-share key (TimiGate). The key must be the same on both routers. See below.

Mumbai(config)#crypto isakmp policy 1

Mumbai(config-isakmp)#authentication pre-share

Mumbai(config-isakmp)#crypto isakmp key TimiGate address 20.1.1.2 (The public IP address of Paris router)

Mumbai(config-isakmp)#exit

Mumbai(config)#crypto ipsec transform-set TGSET esp-aes esp-sha-hmac

Mumbai(config)#crypto map TGMAP 1 ipsec-isakmp

Mumbai(config-crypto-map)#set peer 20.1.1.2

Mumbai(config-crypto-map)#set transform-set TGSET

Mumbai(config-crypto-map)#match address VPN

 

Finally, on the Mumbai router, we MUST apply the crypto map to the interface connecting to the ISP.

 

Mumbai(config)#int s0/1/0

Mumbai(config-if)#crypto map TGMAP

 

Now, repeat the process on the Paris router, making sure the IP address of the peer router matches the public IP address configured on the Paris router. Remember, this IP must be reachable from the Mumbai router. First, the ACL.

Paris(config)#ip access-list extended VPN

Paris(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Paris(config-ext-nacl)#exit

Paris(config)#

Next, the VPN configuration proper.

Paris(config)#crypto isakmp policy 1

Paris(config-isakmp)#authentication pre-share

Paris(config-isakmp)#crypto isakmp key TimiGate address 10.1.1.2 (The public IP address of Paris router)

Paris(config-isakmp)#exit

Paris(config)#crypto ipsec transform-set TGSET esp-aes esp-sha-hmac

Paris(config)#crypto map TGMAP 1 ipsec-isakmp

Paris(config-crypto-map)#set peer 10.1.1.2

Paris(config-crypto-map)#set transform-set TGSET

Paris(config-crypto-map)#match address VPN

 

Finally, apply the crypto-map to the WAN interface.

 

Paris(config)#int s0/1/0

Paris(config-if)#crypto map TGMAP

 

What to note:

The IPsec VPN configuration will be  in four phases.

1.Configuration of the access-list to match allowed traffics.

2.Configuration of the authentication phase which in this case makes use of pre-share key named TimiGate.

3.Configuration of the encryption phase which in this case uses esp-aes esp-sha-hmac

4.The placement of the crypto-map on the connecting interface. This must be the interface with the public IP used in the VPN configuration.

 

Verification:

To see the status of IPSEC authentication, use the command #sh crypto ipsec sa command. See output below

IPSec vpn
Result of sh crypto ipsec sa

The show crypto isakmp sa command will show encryption status.

Result of sh crypto isakmp sa

Finally, I will try to access the server in Paris from the PC in Mumbai.

Ping result from PC0 to server0
Image showing web access to server0 from PC0

To get the packet Tracer file for this LAB, drop your email address in the comment box.

Spread the love

46 thoughts on “How to configure Site-to-site IPsec VPN using the Cisco Packet Tracer.

  • April 17, 2018 at 5:09 am
    Permalink

    Above File Required

    • April 17, 2018 at 9:52 am
      Permalink

      It has been sent. Check your mail.

    • April 8, 2019 at 3:37 am
      Permalink

      Cisco Packet Tracer File Requesting

  • April 17, 2018 at 12:33 pm
    Permalink

    Thanks for the tip. I really appreciate it. Please I need the file through my mail. Thanks a lot

    • April 17, 2018 at 2:50 pm
      Permalink

      Check your mail, it has been sent. Thanks

  • May 28, 2018 at 7:36 pm
    Permalink

    pacet traser

  • July 19, 2018 at 8:15 am
    Permalink

    packet tracer file

    • July 23, 2018 at 7:58 am
      Permalink

      Hello Kabeer, the requested file has been sent to your email.
      Regards.

  • August 5, 2018 at 4:03 pm
    Permalink

    Nice one bro. Kindly send me file j_ojo1@yahoo.com. I have also sent you a friend request via linkedin if you don’t mind.

    • August 5, 2018 at 4:35 pm
      Permalink

      File has been emailed to you. Thanks

    • August 5, 2018 at 6:25 pm
      Permalink

      The packet tracer file has sent to your email address. Thanks

  • August 6, 2018 at 12:23 am
    Permalink

    Hello Michael,
    Could you please help s3nding LAB based for Cisco Site-to-Site IPSec VPN.

    Thank you in advance.

    Best regards,
    Tamang

    • August 6, 2018 at 7:38 am
      Permalink

      Sent. Kindly follow this blog to have my posts sent directly to you via emails.

      • August 14, 2018 at 4:31 am
        Permalink

        hello,

        packet tracker file is not comptiable with packet tracker version 7.1.
        could you please send the file comptiable to 7.1?
        @ajir44@gmail.com

        thank you.

        BR,
        Tamang

        • August 14, 2018 at 7:47 am
          Permalink

          The lab was built with packet tracer 6. I will have to rebuild it in 7.1 and mail to you. Thanks.

  • August 6, 2018 at 12:27 am
    Permalink

    Please send me Lab for How to connect branch offices to the HQ using Cisco Site-to-Site IPSec VPN.

    At zafsyed@gmail.com

    Thanks in advanced.

  • August 6, 2018 at 10:44 am
    Permalink

    Please share with me

    • August 6, 2018 at 11:05 am
      Permalink

      The requested file has been mailed to you. Kindly stay up to date by subscribing to this blog, like on Facebook, follow on Twitter and subscribe to the YouTube Channel.

  • August 6, 2018 at 1:55 pm
    Permalink

    Nice lab

    • August 8, 2018 at 8:07 am
      Permalink

      The requested file has been mailed to to you. Regards.

  • September 2, 2018 at 9:43 pm
    Permalink

    Please share the file and thanks for sharing this simulation. My email is :
    juanram@hotmail.es

    • September 3, 2018 at 7:35 am
      Permalink

      The requested file has been sent to your mailbox. Thanks.

    • September 9, 2018 at 8:07 am
      Permalink

      Hello,
      File has been sent to your email.
      Thanks

  • September 9, 2018 at 7:49 am
    Permalink

    Thanks

    • September 9, 2018 at 8:06 am
      Permalink

      Hello,
      The requested file has been sent to your mail.
      Thanks

  • September 10, 2018 at 7:16 pm
    Permalink

    Gracias

  • September 12, 2018 at 6:47 am
    Permalink

    I need packet tracer file

  • September 29, 2018 at 8:33 am
    Permalink

    Wasn’t ipsec vpn taken off out of the exam… it’s not in course materials anyway plus you can implement ipsec for a long time

    • September 29, 2018 at 9:34 am
      Permalink

      IPSec vpn is core for CCNA security. However, you don’t know networking, if you don’t know how to set up site to site IPSec vpn. This is just my humble opinion.

  • October 1, 2018 at 11:02 pm
    Permalink

    Hello dear, hope you are fine. please i need your help
    i want to use your lab for a presentation in my school but i am a bit confused because they are many terms that i don’t understand like that functionality of the crypto map, of the authentication mode and all the key used.
    so if you could please write me a file where you explain every the line of your configuration, it will be very greatfull. please try and do something like that and send it to me. i really need it. please

Comments are closed.