Cisco Router and Security Device Manager 2.5 User Guide
Site-to-Site VPN
Downloads: This chapterpdf (PDF - 273.0KB) The complete bookPDF (PDF - 7.45MB) | Feedback

Site-to-Site VPN

Table Of Contents

Site-to-Site VPN

VPN Design Guide

Create Site to Site VPN

Site-to-Site VPN Wizard

View Defaults

VPN Connection Information

IKE Proposals

Transform Set

Traffic to Protect

Summary of the Configuration

Spoke Configuration

Secure GRE Tunnel (GRE-over-IPSec)

GRE Tunnel Information

VPN Authentication Information

Backup GRE Tunnel Information

Routing Information

Static Routing Information

Select Routing Protocol 

Summary of Configuration

Edit Site-to-Site VPN

Add new connection

Add Additional Crypto Maps

Crypto Map Wizard: Welcome

Crypto Map Wizard: Summary of the configuration

Delete Connection

Ping

Generate Mirror...

Cisco SDM Warning: NAT Rules with ACL

How Do I...

How Do I Create a VPN to More Than One Site?

After Configuring a VPN, How Do I Configure the VPN on the Peer Router?

How Do I Edit an Existing VPN Tunnel?

How Do I Confirm That My VPN Is Working?

How Do I Configure a Backup Peer for My VPN?

How Do I Accommodate Multiple Devices with Different Levels of VPN Support?

How Do I Configure a VPN on an Unsupported Interface?

How Do I Configure a VPN After I Have Configured a Firewall?

How Do I Configure NAT Passthrough for a VPN?


Site-to-Site VPN


The help topics in this section describe the Site-to-Site VPN configuration screens, and the VPN Design Guide screens.

VPN Design Guide

If you are an administrator setting up a VPN network, the VPN Design Guide helps you to determine which kind of VPN to configure. You provide information about what type of user you are, the type of equipment that the router establishes VPN connections with, the type of traffic that the VPN will carry, and other features that you need to configure. After you provide this information, the VPN Design Guide recommends a VPN type, and allows you to launch the wizard that will enable you to configure that type of VPN.

Create Site to Site VPN

A Virtual Private Network (VPN) lets you protect traffic that travels over lines that your organization may not own or control. VPNs can encrypt traffic sent over these lines and authenticate peers before any traffic is sent.

You can let Cisco Router and Security Device Manager (Cisco SDM) guide you through a simple VPN configuration by clicking the VPN icon. When you use the Wizard in the Create Site-to-Site VPN tab, Cisco SDM provides default values for some configuration parameters in order to simplify the configuration process.

If you want to learn more about VPN technology, there is background information at the link More About VPN.

Create a Site-to-Site VPN

This option allows you to create a VPN network connecting two routers.

Create a Secure GRE Tunnel (GRE-over-IPSec)

This option allows you to configure a generic routing encapsulation protocol (GRE) tunnel between your router and a peer system.

What Do You Want to Do?

If you want to:
Do this:

Configure the router as part of a VPN network connecting two routers.

When you configure a VPN network between two routers, you can control how the remote router is authenticated, how traffic is encrypted, and what traffic is encrypted.

Select Create a site-to-site VPN . Then click Launch the selected task.

Configure a GRE tunnel between your router and another router.

You may want to configure a GRE tunnel if you need to connect networks that use different LAN protocols, or if you need to send routing protocols over the connection to the remote system.

Select Create a Secure GRE tunnel (GRE-over-IPSec). Then click Launch the selected task.

Find out how to perform other VPN-related tasks that this wizard does not guide you through.

Select a topic from the following list:

How Do I View the IOS Commands I Am Sending to the Router?

How Do I Create a VPN to More Than One Site?

After Configuring a VPN, How Do I Configure the VPN on the Peer Router?

How Do I Edit an Existing VPN Tunnel?

How Do I Confirm That My VPN Is Working?

How Do I Confirm That My VPN Is Working?

How Do I Configure a Backup Peer for My VPN?

How Do I Accommodate Multiple Devices with Different Levels of VPN Support?

How Do I Configure a VPN on an Unsupported Interface?

How Do I Configure a VPN After I Have Configured a Firewall?

How Do I Configure NAT Passthrough for a VPN?

How Do I Configure a DMVPN Manually?

Configure an Easy VPN concentrator.

Configuration instructions for Easy VPN servers and concentrators are available on www.cisco.com.

The following link provides guidelines to use when configuring a Cisco VPN 3000 series concentrator to operate with an Easy VPN Remote Phase II client, and other information which you might find useful:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a00800a8565.html

The following link connects you to Cisco VPN 3000 series documentation:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_getting_started_guide_book09186a00800bbe74.html


Site-to-Site VPN Wizard

You can have Cisco SDM use default settings for most of the configuration values, or you can let Cisco SDM guide you in configuring a VPN.

What do you want to do?

If you want to:
Do this:

Quickly configure a site-to-site VPN using Cisco SDM-provided defaults.

Check Quick setup, and then click Next.

Cisco SDM will automatically provide a default IKE policy to govern authentication, a default transform set to control the encryption of data and a default IPSec rule that will encrypt all traffic between the router and the remote device.

Quick setup is best used when both the local router and the remote system are Cisco routers using Cisco SDM.

Quick setup will configure 3DES encryption if it is supported by the IOS image. Otherwise, it will configure DES encryption. If you need AES or SEAL encryption, click Step-by-step wizard.

View the default IKE policy, transform set, and IPSec rule that will be used to configure a One-step VPN.

Click View Defaults.

Configure a site-to-site VPN using parameters that you specify.

Check Step-by-Step wizard, and then click Next.

You can create a custom configuration for the VPN, and use any of the Cisco SDM defaults that you need.

Step-by-step wizard allows you to specify stronger encryption than the Quick setup wizard allows.


View Defaults

This window displays the default Internet Key Exchange (IKE) policy, transform set, and IPSec rule that Cisco SDM will use to configure a Quick Setup site-to-site VPN. If you need a different configuration than this window shows, check Step-by-Step wizard so that you can define configuration values.

VPN Connection Information

Use this window to identify the IP address or host name of the remote site that will terminate the VPN tunnel that you are configuring, to specify the router interface to use, and to enter the pre-shared key that both routers will use to authenticate each other.

Select the interface for this VPN Connection

Select the interface on this router that connects to the remote site.The router you are configuring is represented as the Local router in the Use Case Scenario diagram.

Peer Identity

Enter the IP address of the remote IP Security (IPSec) peer that will terminate the VPN tunnel you are configuring. The remote IPSec peer might be another router, a VPN concentrator, or any other gateway device that supports IPSec.

Peer(s) with dynamic IP addresses

Select this option if the peers the router connects to use a dynamically-assigned IP addresses.

Peer with static IP address

Select this option if the peer the router connects to uses a fixed IP address.

Enter the IP Address of the remote peer

(Enabled when Peer with static IP address is selected). Enter the IP address of the remote peer.

Authentication

Click this button if the VPN peers use a pre-shared key to authenticate connections from each other. This key must be the same on each side of the VPN connection.

Enter the pre-shared key, and then reenter it for confirmation. Exchange the pre-shared key with the administrator of the remote site through some secure and convenient method, such as an encrypted e-mail message. Question marks (?) and spaces must not be used in the pre-shared key. The pre-shared key can contain a maximum of 128 characters.


NoteThe characters you enter for the pre-shared key are not displayed in the field as you enter them. You may find it helpful to write down the key before you enter it so that you can communicate it to the administrator of the remote system.

Pre-shared keys must be exchanged between each pair of IPSec peers that need to establish secure tunnels. This authentication method is appropriate for a stable network with a limited number of IPSec peers. It may cause scalability problems in a network with a large or increasing number of IPSec peers.


Digital Certificate

Click this button if the VPN peers will use digital certificates for authentication.


Note The router must have a digital certificate issued by a Certificate Authority to authenticate itself. If you have not configured a digital certificate for the router, go to VPN components, and use the Digital Certificate wizard to enroll for a digital certificate.


Traffic to Encrypt

If you are configuring a Quick Setup site-to-site VPN connection, you need to specify the source and destination subnets in this window.

Source

Choose the interface on the router that will be the source of the traffic on this VPN connection. All traffic coming through this interface whose destination IP address is in the subnet specified in the Destination area will be encrypted.

Details

Click this button to obtain details about the interface you selected. The details window shows any access rules, IPSec policies, Network Address Translation (NAT) rules, or Inspection rules associated with the interface. To examine any of these rules in more detail, go to Additional Tasks/ACL Editor, and examine them in the Rules windows.

Destination

IP address and Subnet Mask. Enter the IP address and subnet mask of the destination for this traffic. For more information about how to enter values in these fields, see IP Addresses and Subnet Masks.

The destination is depicted as the Remote router in the Use Case Scenario diagram in the main VPN wizard window.

IKE Proposals

This window lists all the Internet Key Exchange (IKE) policies that have been configured on the router. If no user-defined policies have been configured, the windows lists the Cisco SDM default IKE policy. IKE policies govern the way that devices in a VPN authenticate themselves.

The local router will use the IKE policies listed in this window to negotiate authentication with the remote router.

The local router and the peer device must both use the same policy. The router that initiates the VPN connection offers the policy with the lowest priority number first. If the remote system rejects that policy, the local router offers the policy with the next lowest number, and continues in this fashion until the remote system accepts. You must coordinate closely with the administrator of the peer system so that you can configure identical policies on both routers.

For Easy VPN connections, IKE policies are only configured on the Easy VPN server. The Easy VPN client sends proposals, and the server responds according to its configured IKE policies.

Priority

This is the order in which the policy will be offered during negotiation.

Encryption

Cisco SDM supports a variety of encryption types, listed in order of security. The more secure an encryption type is, the more processing time it requires.


NoteNot all routers support all encryption types. Unsupported types will not appear in the screen.

Not all IOS images support all the encryption types that Cisco SDM supports. Types unsupported by the IOS image will not appear in the screen.

If hardware encryption is turned on, only those encryption types supported by hardware encryption will appear in the screen.


Cisco SDM supports the following types of encryption:

DES—Data Encryption Standard. This form of encryption supports 56-bit encryption.

3DES—Triple DES. This is a stronger form of encryption than DES, supporting 168-bit encryption.

AES-128—Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than 3DES.

AES-192—AES encryption with a 192-bit key.

AES-256—AES encryption with a 256-bit key.

Hash

The authentication algorithm to be used for the negotiation. Cisco SDM supports the following algorithms:

SHA_1—Secure Hash Algorithm. A hash algorithm used to authenticate packet data.

MD5—Message Digest 5. A hash algorithm used to authenticate packet data.

D-H Group

The Diffie-Hellman Group—Diffie-Hellman is a public-key cryptography protocol that allows two routers to establish a shared secret over an unsecure communications channel. Cisco SDM supports the following groups:

group1—D-H Group 1. 768-bit D-H Group.

group2—D-H Group 2. 1024-bit D-H Group. This group provides more security than group 1, but requires more processing time.

group5—D-H Group 5.1536-bit D-H Group. This group provides more security than group 2, but requires more processing time.

Authentication

The authentication method to be used. The following values are supported:

PRE_SHARE—Authentication will be performed using pre-shared keys.

RSA_SIG—Authentication will be performed using digital certificates.


Note You must choose the authentication type that you specified when you identified the interfaces that the VPN connection is using.


Type

Either Cisco SDM Default or User Defined. If no User Defined policies have been created on the router, this window will show the default IKE policy.

To add or edit an IKE policy:

If you want to add an IKE policy that is not included in this list, click Add and create the policy in the window displayed. Edit an existing policy by selecting it and clicking Edit. Cisco SDM Default policies are read only, and cannot be edited.

To accept the policy list:

To accept the IKE policy list and continue, click Next.

Transform Set

This window lists the Cisco SDM-default transform sets and the additional transform sets that have been configured on this router. These transform sets will be available for use by the VPN or DMVPN. A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow. A transform describes a particular security protocol with its corresponding algorithms.

You can select only one transform set in this window, but you can associate additional transform sets to the VPN or DMVPN connection using the VPN or DMVPN Edit tabs.

Select Transform Set

Select the transform set that you want to use from this list.

Details of the Selected Transform Set

This area supplies details about the selected transform set. Not all types of encryption, authentication, and compression have to be configured; therefore, some columns may not contain values.

To learn the possible values each column may contain, click Add or Edit Transform Set.

Name

The name given to this transform set.

ESP Encryption

The type of Encapsulating Security Protocol (ESP) encryption used. If ESP encryption is not configured for this transform set, this column will be empty.

ESP Authentication

The type of ESP authentication used. If ESP authentication is not configured for this transform set, this column will be empty.

AH Authentication

The type of Authentication Header (AH) authentication used. If AH authentication is not configured for this transform set, this column will be empty.

IP Compression

If IP compression is configured for this transform set, this field contains the value COMP-LZS.


Note IP compression is not supported on all routers.


Mode

This column contains one of the following:

Transport—Encrypt data only. Transport mode is used when both endpoints support IPsec. Transport mode places the authentication header or encapsulated security payload after the original IP header; thus, only the IP payload is encrypted. This method allows users to apply network services such as quality-of-service (QoS) controls to encrypted packets.

Tunnel—Encrypt data and IP header. Tunnel mode provides stronger protection than transport mode. Because the entire IP packet is encapsulated within AH or ESP, a new IP header is attached, and the entire datagram can be encrypted. Tunnel mode allows network devices such as routers to act as an IPsec proxy for multiple VPN users.

Type

Either User Defined, or Cisco SDM Default.

What Do You Want to Do?

If you want to:
Do this:

Select a transform set for the VPN to use.

Select a transform set, and click Next.

Add a transform set to the router's configuration.

Click Add, and create the transform set in the Add Transform Set window. Then click Next to continue VPN configuration.

Edit an existing transform set.

Select a transform set, and click Edit. Then, edit the transform set in the Edit Transform Set window. After editing the transform set, click Next to continue VPN configuration. Cisco SDM Default transform sets are read only and cannot be edited.

Associate additional transform sets with this VPN.

Select one transform set in this window, and complete the VPN wizard. Then, associate other transform sets to the VPN in the Edit tab.


Traffic to Protect

This window lets you define the traffic that this VPN protects. The VPN can protect traffic between specified subnets, or protect the traffic specified in an IPSec rule that you select.

Protect All Traffic Between the Following Subnets

Use this option to specify a single source subnet (a subnet on the LAN) whose outgoing traffic you want to encrypt, and one destination subnet supported by the peer that you specified in the VPN Connection window.

All traffic flowing between other source and destination pairs will be sent unencrypted.

Source

Enter the address of the subnet whose outgoing traffic you want to protect, and specify the subnet mask. For more information, refer to Available Interface Configurations.

All traffic from this source subnet that has a destination IP address on the destination subnet will be protected.

Destination

Enter the address of the destination subnet, and specify the mask for that subnet. You can select a subnet mask from the list, or type in a custom mask. The subnet number and mask must be entered in dotted decimal format, as shown in the previous examples.

All traffic going to the hosts in this subnet will be protected.

Create/Select an access-list for IPSec traffic

Use this option if you need to specify multiple sources and destinations, and/or specific types of traffic to encrypt. An IPSec rule can consist of multiple entries, each specifying different traffic types and different sources and destinations.

Click the button next to the field, and specify an existing IPSec rule that defines the traffic you want to encrypt, or create an IPSec rule to use for this VPN. If you know the number of the IPSec rule, enter it in the box to the right. If you do not know the number of the rule, click the ... button and browse for the rule. When you select the rule, the number will appear in the box.


Note Because they can specify traffic type, and both source and destination, IPSec rules are extended rules. If you enter the number or name of a standard rule, a Warning message is displayed indicating that you have entered the name or number of a standard rule.


Any packets that do not match the criteria in the IPSec rule are sent with no encryption.

Summary of the Configuration

This window shows you the VPN or DMVPN configuration that you created. You can review the configuration in this window and use the back button to make changes if you want.

Spoke Configuration

If you have configured a DMVPN hub, you can have Cisco SDM generate a procedure that will assist you or other administrators in configuring DMVPN spokes. The procedure explains which options to select in the wizard, and what information to enter in spoke configuration windows. You can save this information to a text file that you or another administrator can use.

Test the connectivity after configuring

Click to test the VPN connection you have just configured.The results of the test will be shown in another window.

To save this configuration to the router's running configuration and leave this wizard:

Click Finish. Cisco SDM saves the configuration changes to the router's running configuration. The changes will take effect immediately, but will be lost if the router is turned off.

If you checked Preview commands before delivering to router in the Cisco SDM Preferences window, the Deliver window will appear . In this window, you can view the CLI commands you that are delivering to the router.

Spoke Configuration

This window contains information that you can use to give a spoke router a configuration that will be compatible with the DMVPN hub that you configured. It lists the windows you need to complete, giving you data that you need to enter in the window so that the spoke will be able to communicate with the hub.

It provides the following data that you need to input into the spoke configuration:

The hub's public IP address. This is the IP address of the hub interface that supports the mGRE tunnel.

The IP address of the hub's mGRE tunnel.

The subnet mask that all tunnel interfaces in the DMVPN must use.

The advanced tunnel configuration information.

The routing protocol to use, and any information associated with the protocol, such as Autonomous System number (for EIGRP), and OSPF Process ID.

The hash, encryption, DH group, and Authentication Type of the IKE policies that the hub uses, so that compatible IKE policies can be configured on the spoke.

The ESP and Mode information of the transform sets that the hub uses. If similar transform sets have not been configured on the spoke, they can be configured using this information.

Secure GRE Tunnel (GRE-over-IPSec)

Generic routing encapsulation (GRE) is a tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment.

This wizard enables you to create a GRE tunnel with IPSec encryption. When you create a GRE tunnel configuration, you also create an IPSec rule that describes the endpoints of the tunnel.

GRE Tunnel Information

General GRE tunnel information is provided in this screen.

Tunnel Source

Select the interface name or the IP address of the interface that the tunnel will use. The IP address of the interface must be reachable from the other end of the tunnel; therefore it must a a public, routable IP address. An error will be generated if you enter an IP address that is not associated with any configured interface.


Note Cisco SDM lists interfaces with static IP addresses and interfaces configured as unnumbered in the Interface list. Loopback interfaces are not included in the list.


Details

Click to obtain details about the interface that you selected. The details window shows any access rules, IPSec policies, NAT rules, or Inspection rules associated with the interface. If a NAT rule has been applied to this interface that causes the address to be unroutable, the tunnel will not operate properly. To examine any of these rules in more detail, go to Additional Tasks/ACL Editor and examine the in the Rules window.

Tunnel Destination

Enter the IP address of the interface on the remote router at the other end of the tunnel. This is the source interface from the point of view of the other end of the tunnel.

Make sure that this address is reachable by using the ping command. The ping command is available from the Tools menu. If the destination address cannot be reached, the tunnel will not be created properly.

IP Address of the GRE tunnel

Enter the IP address of the tunnel. The IP addresses of both ends of the tunnel must be in the same subnet. The tunnel is given a separate IP address so that it can be a private address, if necessary.

IP Address

Enter the IP address of the tunnel in dotted decimal format. For more information, see IP Addresses and Subnet Masks.

Subnet Mask

Enter the subnet mask for the tunnel address in dotted decimal format.

VPN Authentication Information

VPN peers use a pre-shared key to authenticate connections from each other. This key must be the same on each side of the VPN connection.

Pre-Shared Key

Click this button if the VPN peers use a pre-shared key for authentication and then enter the pre-shared key, and then reenter it for confirmation. Exchange the pre-shared key with the administrator of the remote site through some secure and convenient method, such as an encrypted e-mail message. Question marks (?) and spaces must not be used in the pre-shared key.


NoteThe characters that you enter for the pre-shared key are not displayed in the field as you enter them. You may find it helpful to write down the key before you enter it so that you can communicate it to the administrator of the remote system.

Pre-shared keys must be exchanged between each pair of IPSec peers that need to establish secure tunnels. This authentication method is appropriate for a stable network with a limited number of IPSec peers. It may cause scalability problems in a network with a large or increasing number of IPSec peers.


Digital Certificate

Click this button if the VPN peers will use digital certificates for authentication.

The router must have a digital certificate issued by a Certificate Authority to authenticate itself. If you have not configured a digital certificate for the router, go to VPN components, and use the Digital Certificate wizard to enroll for a digital certificate.


Note If you are authenticating using digital certificates, the VPN tunnel might not be created if the CA server contacted during IKE negotiation is not configured to respond to Certificate Revocation List (CRL) requests. To correct this problem, go to the Digital Certificates page, select the configured trustpoint, and select None for Revocation.


Backup GRE Tunnel Information

You can configure a backup GRE-over-IPSec tunnel that the router can use when the primary tunnel fails. This tunnel will use the same interface that you configured for the primary tunnel, but it must be configured with the backup VPN router as the peer. If routing is configured for the primary GRE-over-IPSec tunnel, the keepalive packets that the routing protocol sends are used to verify that the tunnel is still active. If the router stops receiving keepalive packets on the primary tunnel, then traffic is sent through the backup tunnel.

Create a backup secure GRE tunnel for resilience

Check this box if you want to create a backup tunnel.

IP address of the backup GRE tunnel's destination

Enter the IP address of the interface on the remote router at the other end of the tunnel. (This is the source interface from the point of view of the other end of the tunnel.)

Make sure that this address is reachable by using the ping command. The ping command is available from the Tools menu. If the destination address specified in the Ping dialog cannot be reached, the tunnel will not be created properly.

Tunnel IP address

Enter the IP address of the tunnel. The IP addresses of both ends of the tunnel must be in the same subnet. The tunnel is given a separate IP address so that it can be a private address, if necessary.

IP Address

Enter the IP address of the tunnel in dotted decimal format. For more information, see IP Addresses and Subnet Masks.

Subnet Mask

Enter the subnet mask for the tunnel address in dotted decimal format.

Routing Information

This window enables you to configure routing for the tunneled traffic. Information that you add in this window appears in the Routing window. Changes that you make in the Routing window may affect routing of VPN traffic. Configuring routing enables you to specify the networks that will participate in the GRE-over-IPSec VPN. Additionally, if you configure a backup GRE-over-IPSec tunnel, the keepalive packets sent by routing protocols allow the router to determine whether the primary tunnel has failed.

Select a dynamic routing protocol if this router is being used in a large VPN deployment with a large number of networks in the GRE over IPSec VPN. Select static routing if a small number of networks will participate in the VPN.

EIGRP

Check this box to use the Enhanced Interior Gateway Routing Protocol (EIGRP) protocol to route traffic. Then click Next to specify which networks will participate in the GRE-over-IPSec VPN in the Routing Information window.

OSPF

Check this box to use the Open Shortest Path First protocol (OSPF) to route traffic. Then click Next to specify which networks will participate in the GRE-over-IPSec VPN in the Routing Information window.

RIP

Check this box to use the Routing Information Protocol(RIP) to route traffic. Then click Next to specify which networks will participate in the GRE-over-IPSec VPN in the Routing Information window.


Note This option is not available when you configure a backup GRE-over-IPSec tunnel.


Static Routing

Static routing can be used in smaller VPN deployments in which only a few private networks participate in the GRE-over-IPSec VPN. You can configure a static route for each remote network so that traffic destined for the remote networks will pass through the appropriate tunnels.

Static Routing Information

You can configure a static route for each remote network so that traffic destined for the remote networks will pass through the appropriate tunnels. Configure the first static route in the Static Routing Information window. If you need to configure additional static routes, you can do so in the Routing window.

Check this box if you want to specify a static route for the tunnel, and select one of the following:

Tunnel all traffic—All traffic will be routed through the tunnel interface and encrypted. Cisco SDM creates a default static route entry with the tunnel interface as the next hop.

If a default route already exists, Cisco SDM modifies that route to use the tunnel interface as the next hop, replacing the interface that was originally there, and creates a new static entry to the tunnel destination network that specifies the interface in the original default route as the next hop.

The following example assumes the network at the other end of the tunnel is 200.1.0.0, as specified in the destination network fields:

! Original entry

ip route 0.0.0.0  0.0.0.0 FE0

! Entry changed by SDM

ip route 0.0.0.0  0.0.0.0 Tunnel0

! Entry added by SDM

ip route 200.1.0.0  255.255.0.0 FE0

If no default route exists, Cisco SDM simply creates one, using the tunnel interface as the next hop. For example:

ip route 0.0.0.0  0.0.0.0 Tunnel0

Do split tunneling—Split tunneling allows traffic that is destined for the network specified in the IP Address and Network Mask fields to be encrypted and routed through the tunnel interface. All other traffic will not be encrypted. When this option is selected, Cisco SDM creates a static route to the network, using the IP address and network mask.

The following example assumes that the network address 10.2.0.0/255.255.0.0 was entered in the destination address fields:

The following example assumes that the network address 10.2.0.0/255.255.0.0 was entered in the destination address fields:

ip route 10.2.0.0 255.255.0.0 Tunnel0


When split tunneling is selected, the IP Address and Subnet Mask fields will appear, requiring you to enter the IP Address and Subnet Mask of the destination peer. You must ensure that the destination IP address entered in the Tunnel Destination field of the GRE Tunnel Information window is reachable. If it is not reachable, no tunnel will be established.

IP Address

Enabled with split tunneling. Enter the IP address of the network at the other end of the tunnel. Cisco SDM will create a static route entry for the packets with a destination address in that network. This field is disabled when Tunnel all traffic is selected.

You must ensure that the IP address entered in this field is reachable before you configure this option. If it is not reachable, no tunnel will be established.

Network Mask

Enabled with split tunneling. Enter the network mask used on the network at the other end of the tunnel. This field is disabled when Tunnel all traffic is selected.

Select Routing Protocol 

Use this window to specify how other networks behind your router are advertised to the other routers in the network. Select one of the following:

EIGRP—Extended Interior Gateway Routing Protocol.

OSPF—Open Shortest Path First.

RIP—Routing Internet Protocol.

Static Routing. This option is enabled when you are configuring a GRE over IPSec tunnel.


Note RIP is not supported for DMVPN Hub and spoke topology but is available for DMVPN Full Mesh topology.


Summary of Configuration

This screen summarizes the GRE configuration that you have completed. You can review the information in this screen and click the back button to return to any screen in which you want to make changes. If you want to save the configuration, click Finish.

GRE tunnel configuration creates an IPSec rule that specifies which hosts the GRE traffic will be allowed to flow between. This IPSec rule is displayed in the summary.

To save this configuration to the router's running configuration and leave this wizard:

Click Finish. Cisco SDM saves the configuration changes to the router's running configuration. The changes will take effect immediately, but will be lost if the router is turned off.

If you checked Preview commands before delivering to router in the Cisco SDM Preferences window, the Deliver window will appear . In this window, you can view the CLI commands you that are delivering to the router.

Edit Site-to-Site VPN

Virtual Private Networks (VPNs) let you protect data between your router and a remote system by encrypting traffic so that it cannot be read by others who are using the same public network. In effect, it gives you the protection of a private network over public lines that may be used by other organizations.

Use this window to create and manage VPN connections to remote systems. You can create, edit, and delete VPN connections, and reset existing connections. You can also use this window to configure your router as an Easy VPN client with connections to one or more Easy VPN servers or concentrators.

Click the link for the part of the window for which you want help:

Site-to-Site VPN Connections

VPN connections, sometimes referred to as tunnels, are created and managed from the VPN Connections box. A VPN connection links a router interface to one or more peers specified by a crypto map defined in an IP Security (IPSec) policy.You can view, add, edit, and delete the VPN connections in this list.

Status column

The status of the connection, which is indicated by the following icons:

The connection is up.

The connection is down.

The connection is being established.


Interface

The router interface that is connected to the remote peers in this VPN connection. An interface can be associated with only one IPSec policy. The same interface will appear on multiple lines if there is more than one crypto map defined for the IPSec policy used in this connection.

Description

A short description of this connection.

IPSec Policy

The name of the IPSec policy used in this VPN connection. The IPSec policy specifies how data is encrypted, which data will be encrypted, and where data will be sent. For more information, click More about VPN Connections and IPSec Policies.

Sequence Number

The sequence number for this connection. Because an IPSec policy may be used in more than one connection, the combination of the sequence number and IPSec policy name uniquely identifies this VPN connection. The sequence number does not prioritize the VPN connection; the router will attempt to establish all configured VPN connections regardless of sequence number.

Peers

The IP addresses or host names of the devices at the other end of the VPN connection. When a connection contains multiple peers, their IP addresses or host names are separated by commas. Multiple peers might be configured to provide alternative routing paths for the VPN connection.

Transform Set

This shows the name of the transform set used by this VPN connection. Multiple transform set names are separated by commas. A transform set specifies the algorithms that will be used to encrypt data, ensure data integrity, and provide data compression. Both peers must use the same transform set, and they negotiate to determine which set they will use. Multiple transform sets may be defined to ensure that the router can offer a transform set that the negotiating peer will agree to use. The transform sets is a component of the IPSec policy.

IPSec Rule

The rule that determines which traffic should be encrypted on this connection. The IPSec rule is a component of the IPSec Policy.

Type

One of the following:

Static—This is a static site-to-site VPN tunnel. The VPN tunnel uses static crypto maps.

Dynamic—This is a dynamic site-to-site VPN tunnel. The VPN tunnel uses dynamic crypto maps.

Add Button

Click to add a VPN connection

Delete Button

Click to delete a selected VPN connection

Test Tunnel.. Button

Click to test a selected VPN tunnel.The results of the test will be shown in another window.

Clear Connection Button

Click to reset an established connection to a remote peer. This button is disabled if you have selected a dynamic site-to-site VPN tunnel.

Generate Mirror..Button

Click to create a text file that captures the VPN configuration of the local router so that a remote router can be given a VPN configuration that enables it to establish a VPN connection to the local router. This button is disabled if you have selected a dynamic site-to-site VPN tunnel.


Note Any previously configured VPN connections detected by Cisco SDM that do not use ISAKMP crypto maps will appear as read-only entries in the VPN connection table and cannot be edited.


Add new connection

Use this window to add a new VPN connection between the local router and a remote system, referred to as a peer. You create the VPN connection by associating an IPSec policy with an interface.

To create a VPN connection:


Step 1 Select the interface you want to use for the VPN from the Select Interface list. Only interfaces that are not used in other VPN connections are shown in this list.

Step 2 Select a policy from the Choose IPSec Policy list. Click OK to return to the VPN Connections window.


Add Additional Crypto Maps

Use this window to add a new crypto map to an existing IPSec policy. This window shows the interface associated with the VPN connection that you selected in the VPN Connections window, the IPSec policy associated with it, and the crypto maps that the policy already contains.

The crypto map specifies a sequence number, the peer device at the other end of the connection, the set of transforms that encrypt the traffic, and the IPSec rule that determines which traffic is encrypted.


Note Adding a crypto map to an existing IPSec policy is the only way to add a VPN tunnel to an interface that is already being used in an existing VPN connection.


Interface

This is the interface used in this VPN connection.

IPSec Policy

This is the name of the IPSec policy controlling the VPN connection. The crypto maps making up the IPSec policy are shown in the list below this field. For more information, click More about VPN Connections and IPSec Policies.

What Do You Want to Do?

If you want to:
Do this:

Configure the crypto map yourself.

Click Add New Crypto Map and use the Add Crypto Map window to create the new crypto map. Click OK when you are finished. Then click OK in this window.

Have Cisco Router and Security Device Manager (Cisco SDM) help you add a new crypto map to this connection.

Check the Use Add Wizard box, and click OK. Cisco SDM will guide you in creating a new crypto map, and will associate it with the IPSec policy.


Crypto Map Wizard: Welcome

This wizard will guide you through the creation of a crypto map. A crypto map specifies the peer devices at the other end of the VPN connection, defines how traffic will be encrypted, and identifies which traffic will be encrypted.

Click Next to begin creating a crypto map.

Crypto Map Wizard: Summary of the configuration

The Cryptomap wizard summary page displays the data you entered in the wizard windows. You can review it, click Back to return to a screen to make changes, and then return to the Summary window and click Finish to deliver the cryptomap configuration to the router.

Delete Connection

Use this window to delete a VPN tunnel, or simply to disassociate it from an interface but preserve the definition for future use.

Delete the crypto map with sequence number n from IPSec policy policy name

Click this button, and then click OK to remove the VPN tunnel definition. The associations created between the interface, IPSec policy, and peer devices will be lost when you do this. If more than one interface has been associated with this tunnel definition, those associations are deleted as well.

Delete the dynamic crypto map with sequence number n from the dynamic crypto map set set name

This button is shown if you selected a dynamic site-to-site VPN tunnel. Click this button, and then click OK to remove the VPN tunnel definition. The associations created between the interface, IPSec policy, and peer devices will be lost when you do this. If more than one interface has been associated with this tunnel definition, those associations are deleted as well.

Disassociate the IPSec policy policy name from the interface interface name, and keep the IPSec policy for possible future reuse

Click this button, and then click OK to retain the tunnel definition but remove its association with the interface. You will be able to associate this definition with another router interface if you wish.

Ping

You can ping a peer device in this window. You can select both the source and destination of the ping operation. You may want to ping a remote peer after you reset a VPN tunnel.

Source

Select or enter the IP address where you want the ping to originate. If the address you want to use is not in the list, you can enter a different one in the field. The ping can originate from any interface on the router. By default, the ping command originates from the outside interface with the connection to the remote device.

Destination

Select the IP address that you want to ping. If the address you want to use is not in the list, you can enter a different one in the field.

To ping a remote peer:

Specify the source and destination, and click Ping. You can read the output of the ping command to determine whether the ping was successful.

To clear the output of the ping command:

Click Clear.

Generate Mirror...

This window shows you the IPSec policy used for the VPN tunnel to the selected peer, and allows you to save the policy in a text file that you can use when configuring the VPN connection on the peer device.

Peer Device

Select the IP address or host name of the peer device to see the IPSec policy configured for the tunnel to that device. The policy appears in the box under the peer IP address.

To create a text file of the IPSec policy:

Click Save, and specify a name and location for the text file. You can give this text file to the administrator of the peer device so that he or she can create a policy that mirrors the one you created on the router. Click After Configuring a VPN, How Do I Configure the VPN on the Peer Router? to learn how to use the text file to create a mirror policy.


Caution The text file that you generate must not be copied into the configuration file of the remote system, but must be used only to show what has been configured on the local router so that the remote device can be configured in a way that is compatible. Identical names for IPSec policies, IKE policies, and transform sets may be used on the remote router, but the policies and transform sets may be different. If the text file is simply copied into the remote configuration file, configuration errors are likely to result.

Cisco SDM Warning: NAT Rules with ACL

This window appears when you are configuring a VPN using interfaces with associated NAT rules that use Access rules. This type of NAT rule can change IP addresses in packets before the packets leave or enter the LAN, and a NAT rule will prevent VPN connections from functioning properly if it changes source IP addresses so that they don't match the IPSec rule configured for the VPN. To prevent this from happening, Cisco SDM can convert these to NAT rules that use route maps. Route maps specify subnets that should not be translated.

The window shows the NAT rules that have to be changed to ensure the VPN connection functions properly.

Original Address

The IP address that NAT will translate.

Translated Address

The IP address that NAT will substitute for the original address.

Rule Type

The type of NAT rule, either Static or Dynamic.

To make the listed NAT rules use route maps:

Click OK.

How Do I...

This section contains procedures for tasks that the wizard does not help you complete.

How Do I Create a VPN to More Than One Site?

You can use Cisco SDM to create multiple VPN tunnels on one interface on your router. Each VPN tunnel will connect the selected interface on your router to a different subnet at the destination router. You can configure multiple VPN tunnels to connect to the same interface but to different subnets on the destination router, or you can configure multiple VPN tunnels that will connect to different interfaces on the destination router.

First, you must create the initial VPN tunnel. The steps below describe how to create the initial VPN tunnel. If you have already created your first VPN tunnel and need to add an additional tunnel to the same interface, skip the first procedure and perform the steps in the next procedure in this help topic.

Create the initial VPN tunnel:


Step 1 From the left frame, select VPN.

Step 2 Select Create a Site-to-Site VPN .

Step 3 Click Launch the Selected Task.

The VPN Wizard starts.

Step 4 Click Quick Setup.

Step 5 Click Next>.

Step 6 From the Select the Router Interface for this VPN Connection field, choose the interface on the source router on which to create the VPN tunnel. This is the interface connected to the Internet on the Local system in the Use Case Scenario diagram.

Step 7 In the Peer Identity field, enter the IP address of the destination router interface.

Step 8 In the Authentication fields, enter and reenter the pre-shared key that the two VPN peers will use.

Step 9 In the Source field, select the interface that connects to the subnet whose IP traffic you want to protect. This is the Local router in the Use Case Scenario diagram, and is usually an interface connected to the LAN.

Step 10 In the Destination fields, enter the IP address and subnet mask of the destination router.

Step 11 Click Next>.

Step 12 Click Finish.


Create an Additional Tunnel from the Same Source Interface

After you have created the initial VPN tunnel, follow these steps to create an additional tunnel from the same source interface to a different destination interface or destination subnet:


Step 1 From the left frame, select VPN.

Step 2 Select Create a Site-to-Site VPN.

Step 3 Click Launch the Selected Task.

The VPN Wizard starts.

Step 4 Click Quick Setup.

Step 5 Click Next>.

Step 6 From the Select the Router Interface for this VPN Connection field, choose the same interface that you used to create the initial VPN connection.

Step 7 In the Peer Identity field, enter the IP address of the destination router interface. You can enter the same IP address that you entered when you created the initial VPN connection. This indicates that this second VPN connection should use the same interface on the destination router as the initial VPN connection. If you do not want both VPN connections to connect to the same destination interface, enter the IP address of a different interface on the destination router.

Step 8 In the Authentication fields, enter and reenter the pre-shared key that the two VPN peers will use.

Step 9 In the Source field, select the same interface used to create the initial VPN connection.

Step 10 In the Destination fields, you have the following options:

If, in the Peer Identity field, you entered the IP address of a different interface on the destination router and want to protect the IP traffic coming from a specific subnet, enter the IP address and subnet mask of that subnet in the appropriate fields.

If you entered the same IP address in the Peer Identity field as you used for the initial VPN connection, indicating that this VPN tunnel will use the same router interface as the initial VPN tunnel, then enter the IP address and subnet mask of the new subnet that you want to protect in the appropriate fields.

Step 11 Click Next>.

Step 12 Click Finish.


After Configuring a VPN, How Do I Configure the VPN on the Peer Router?

Cisco SDM generates VPN configurations on your router. Cisco SDM includes a function that will generate a text file of the configuration that can be used as a template to create a VPN configuration for the peer router to which your VPN tunnel connects. This text file can only be used as a template that shows you which commands need to be configured. It cannot be used without editing because it contains information that is only correct for the local router you configured.

To generate a template configuration for the peer VPN router:


Step 1 From the left frame, select VPN.

Step 2 Select Site-to-Site VPN. in the VPN tree, and then click the Edit tab.

Step 3 Select the VPN connection that you want to use as a template, and click Generate Mirror.

Cisco SDM displays the Generate Mirror screen.

Step 4 From the Peer Device field, select the IP address of the peer device for which you want to generate a suggested configuration.

The suggested configuration for the peer device appears on the Generate Mirror screen.

Step 5 Click Save to display the Windows Save File dialog box, and save the file.


Caution Do not apply the mirror configuration to the peer device without editing! This configuration is a template that requires additional manual configuration. Use it only as a starting point to build the configuration for the VPN peer.

Step 6 After saving the file, use a text editor to make any needed changes to the template configuration. These are some commands that may need editing:

The peer IP address command(s)

The transform policy command(s)

The crypto map IP address command(s)

The ACL command(s)

The interface ip address command(s)

Step 7 After you have finished editing the peer configuration file, deliver it to the peer router using a TFTP server.


How Do I Edit an Existing VPN Tunnel?

To edit an existing VPN tunnel:


Step 1 From the left frame, select VPN.

Step 2 Select Site-to-Site VPN. in the VPN tree, and then click the Edit tab.

Step 3 Click the connection that you want to edit.

Step 4 Click Add.

Step 5 Select Static crypto maps to <policy name>

Step 6 In the Add static crypto maps window, you can add more crypto maps to the VPN connection.

Step 7 If you need to modify any of the components of the connection, such as the IPSec policy or the existing crypto map, note the names of those components in the VPN window, and go to the appropriate windows under VPN Components to make changes.


How Do I Confirm That My VPN Is Working?

You can verify that your VPN connection is working by using the Monitor mode in Cisco SDM. If your VPN connection is working, Monitor mode will display the VPN connection by identifying the source and destination peer IP addresses. Depending on whether your VPN connection is an IPSec tunnel or an Internet Key Exchange (IKE) security association (SA), Monitor mode will display the number of packets transferred across the connection, or show the current state of the connection. To display the current information about a VPN connection:


Step 1 From the toolbar, select Monitor Mode.

Step 2 From the left frame, select VPN Status.

Step 3 From the Select A Category field, select whether to view information for IPSec tunnels or IKE SAs.

Each configured VPN connection will appear as a row on the screen.

If you are viewing IPSec tunnel information, you can verify the following information to determine that your VPN connection is working:

The local and remote peer IP addresses are correct, indicating that the VPN connection is between the correct sites and router interfaces.

The tunnel status is "up." If the tunnel status is "down" or "administratively down," then the VPN connection is not active.

The number of encapsulation and decapsulation packets is not zero, indicating that data has been transferred over the connection and that the sent and received errors are not too high.

If you are viewing IKE SA information, you can verify that your VPN connection is working by verifying that the source and destination IP addresses are correct, and that the state is "QM_IDLE," indicating that the connection has been authenticated and that data transfer can take place.


How Do I Configure a Backup Peer for My VPN?

To configure multiple VPN peers inside a single crypto map:


Step 1 From the left frame, select VPN.

Step 2 From the VPN tree, select VPN Components, and then IPSec Policies.

Step 3 In the IPSec Policies table, click the IPSec policy to which you want to add another VPN peer.

Step 4 Click Edit.

The Edit IPSec Policy dialog box appears.

Step 5 Click Add.

Step 6 The Add Crypto Map dialog box appears, letting you set the values for the new crypto map. Set the values for the new crypto map, using all four tabs in the dialog box. The Peer Information tab contains the Specify Peers field, which lets you enter the IP address of the peer you want to add.

Step 7 When you have finished, click OK.

The crypto map with the new peer IP address appears in the "Crypto Maps in this IPSec Policy" table.

Step 8 To add additional peers, repeat Step 4 through Step 8.


How Do I Accommodate Multiple Devices with Different Levels of VPN Support?

To add multiple transform sets to a single crypto map:


Step 1 From the left frame, select VPN.

Step 2 From the VPN tree, select VPN Components, and then IPSec Policies.

Step 3 In the IPSec Policies table, click the IPSec policy that contains the crypto map to which you want to add another transform set.

Step 4 Click Edit.

The Edit IPSec Policy dialog box appears.

Step 5 In the "Crypto Maps in this IPSec Policy" table, click the crypto map to which you want to add another transform set.

Step 6 Click Edit.

The Edit Crypt Map dialog box appears.

Step 7 Click the Transform Sets tab.

Step 8 In the Available Transform Sets field, click a transform set that you want to add to the crypto map.

Step 9 Click >> to add the selected transform set to the crypto map.

Step 10 If you want to add additional transform sets to this crypto map, repeat Step 9 and Step 10 until you have added all the transform sets you want.

Click OK.


How Do I Configure a VPN on an Unsupported Interface?

Cisco SDM can configure a VPN over an interface type unsupported by Cisco SDM. Before you can configure the VPN connection, you must first use the router CLI to configure the interface. The interface must have, at a minimum, an IP address configured, and it must be working. To verify that the connection is working, verify that the interface status is "Up."

After you have configured the unsupported interface using the CLI, you can use Cisco SDM to configure your VPN connection. The unsupported interface will appear in the fields that require you to choose an interface for the VPN connection.

How Do I Configure a VPN After I Have Configured a Firewall?

In order for a VPN to function with a firewall in place, the firewall must be configured to permit traffic between the local and remote peer IP addresses. Cisco SDM creates this configuration by default when you configure a VPN configuration after you have already configured a firewall.

How Do I Configure NAT Passthrough for a VPN?

If you are using NAT to translate addresses from networks outside your own and if you are also connecting to a specific site outside your network via a VPN, you must configure NAT passthrough for your VPN connection, so that network address translation does not take place on the VPN traffic. If you have already configured NAT on your router and are now configuring a new VPN connection using Cisco SDM, you will receive a warning message informing you that Cisco SDM will configure NAT so that it does not translate VPN traffic. You must accept the message so that Cisco SDM will create the necessary ACLs to protect your VPN traffic from translation.

If you are configuring NAT using Cisco SDM and you have already configured a VPN connection, perform the following procedure to create ACLs.


Step 1 From the left frame, select Additional Tasks/ACL Editor.

Step 2 In the Rules tree, choose Access Rules.

Step 3 Click Add.

The Add a Rule dialog box appears.

Step 4 In the Name/Number field, enter a unique name or number for the new rule.

Step 5 From the Type field, choose Extended Rule.

Step 6 In the Description field, enter a short description of the new rule.

Step 7 Click Add.

The Add a Standard Rule Entry dialog box appears.

Step 8 In the Action field, choose Permit.

Step 9 In the Source Host/Network group, from the Type field, select A Network.

Step 10 In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN source peer.

Step 11 In the Destination Host/Network group, from the Type field, select A Network.

Step 12 In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN destination peer.

Step 13 In the Description field, enter a short description of the network or host.

Step 14 Click OK.

The new rule now appears in the Access Rules table.