Setup VPN tunnel lab - Part 2.pdf

Cisco Site-to-Site VPN Lab 2 / Static IP to Dynamic IP IPSec VPN
by Michael T. Durham

In part two of NetCertLabs Cisco CCNA Security VPN lab series, we will explore setting up a site-to-site VPN connection
where one side is the corporate office with a static IP address and the other side is a home office with a dynamic IP address.
One important note to keep in mind when it comes to this implementation, is that site-to-site VPN networks with dynamic
remote Public IP addresses can only be brought up by the remote site router as only they are aware of the Corp router's
Public IP address.
This type of connection as well as the one in the Cisco IPSec VPN lab 1 is a NBMA (Non Broadcast Multi Access) network and
does not pass multicast packets therefore, you must use static routes for routing your network. Protocols such as RIP,
EIGRP, and OSPF will not work across this type of connection. If your situation requires these types of protocols, you will
need to setup a GRE VPN tunnel.
IPSec VPN tunnels can also be configured using GRE (Generic Routing Encapsulation) Tunnels with IPSec encryption and SSL
(Secure Socket Layer) VPN's are recommended when sending sensitive data over the Internet. GRE VPN tunnels will be
covered in another document.
Cisco IOS includes IPSec support, beginning with early versions of IOS Version 12; however the commands have changed
during the evolution of IOS Version 12 point releases.

ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the
VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on
how to build an IPSec security association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.
Cisco supports only one IKE policy per router, so you must design one which is acceptable to all systems you are going to
interoperate with. Assign it an ordering number of 10. If you wanted to have more than one proposal in the policy, the
proposals would be given in order defined by this policy order number.
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects
data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption
and anti-replay services.
NetCertLabs' goal is to provide you with the basic knowledge necessary to pass your desired exam or just help you get your
lab setup and working so you can learn each subject. Another one of NetCertLabs' goals is to provide you with CLEAR and
concise step-by-step instructions of KNOWN working configurations.
For a more in-depth study of IPSec VPN's, visit Cisco's website's Video Training Series at:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

Equipment used in this lab:

3 2610 Routers that has Cisco IOS Software Release 12.2(15)T2 (or similar)*

4 WIC-1T Serial modules**

2 Ethernet Cat5 cross-over patch cables

2 DB60 Serial DCE/DTE cable (simulates the Leased Line or MPLS connection)*

2 PC's
* The IOS has a software VPN ability built-in in many versions. Hardware VPN modules are also available for increased performance.
**If your router has two Ethernet ports you can use them in-place of the serial ports.

CCNA/CCNA Security Lab 2
In this lab we will setup a Cisco hardware-to-hardware site-to-site VPN with one static public IP and one dynamic Public IP.

DHCP Server

192.168.0.0/24
fa0/0

s0/0

Corp
VPN
208.51.24.8
192.168.0.1

Internet

192.168.1.0/24
s0/0

fa0/0

Home
Dynamic IP
192.168.1.1

This lab will show you how to setup and configure three Cisco routers to create a permanent secure site-to-site VPN tunnel
over the Internet, using the IP Security (IPSec) protocol. In this lab we assume that you have your Ethernet and serial ports
already configured and both Cisco routers have a static IP address.
In the above lab there are public IP addresses utilized to give you a more realistic understanding of what happens where.
Since your routers in this lab are NOT connected to the Internet there will not be any IP address conflicts. Please make sure
that your lab is disconnected from any equipment that could provide Internet connectivity.
If you are interested in configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
see the CCNA/CCNA Security Lab 3. NetCertLabs has several additional CCNA/CCNA Security labs for you to learn with on
our web site as well as many other labs to help you earn the certification you are seeking.
The following five steps need to be configured in order to create an IPSEC VPN on a Cisco IOS device with a Dynamic IP.
Step 1. ISAKMP policy – Configure what parameters will be used for the IKE phase 1 tunnel
Step 2. Transform Set – Configure what parameters will be used for the IKE phase 2 tunnel (aka the IPSEC tunnel)
Step 3. ACL – Create an ACL to define what “interesting” traffic will be sent over the VPN
Step 4. Cypto Map – Configured using the previous parameters.
Step 5. Apply – Apply the cypto map to an interface

------------- Corp Router ------------Step 1. – ISAKMP
First we enter into the configuration mode then enable isakmp. Although by default isakmp is enabled, do this just to be
sure it is. The policy number is quite important. When the router tries to negotiate an acceptable phase one policy, it
always starts with the policy closest to 1 then works its way up in order until a negotiation is successful (using 10 leaves
some room for growth if needed).
Corp(config)#crypto isakmp enable
Corp(config)#crypto isakmp policy 10
Now we configure the authentication method. Acceptable options are pre-shared key, RSA-Sig and RSA-Encr. For simplicity
we’ll use a pre shared key at the moment. In other labs we will exam these other options.
Corp(config-isakmp)#authentication pre-share
Next is the hash method to be used. Options are MD5 and SHA-1 (SHA-1 is the default). (MD5 is a stronger hash method).
Corp(config-isakmp)#hash sha

Now we configure the encryption algorithm we want to use. In order of strength AES 256, AES 192, AES 128, 3DES, DES
(168-bit Triple DES is the default if nothing is explicitly configured).
Corp(config-isakmp)#encryption 3des
Group <number> will configure the modulus size of the Diffie-Hellman key exchange. (Group 5 isn't supported on all
versions of IOS!).
Group
1
2
5

Description
The 768-bit Diffie-Hellman group.
The 1024-bit Diffie-Hellman group.
The 1536-bit Diffie-Hellman group.

*(Group 1 is the default)

Corp(config-isakmp)#group 5
Lifetime, is the time in seconds for the Security Association (SA). 3600 = 1 hour (86400 (1 day) is the default).
Corp(config-isakmp)#lifetime 3600
Since we configured pre-shared key we need to configure the key on a per host basis in main config mode.
Corp(config)#crypto isakmp key 0 K3y4vPnLab address 0.0.0.0 0.0.0.0
The peer’s pre-shared key is set to K3y4vPnLab and note that we are defining a remote public IP address of 0.0.0.0 0.0.0.0.
This tells our Corp router that the remote Branch router has a dynamic public IP address and ensures it will try to negotiate
and establish a VPN tunnel with any router that requests it.
To keep our VPN up and connected when traffic may not be passing, we use dead peer detection (DPD) by setting isakmp to
send keepalives every 10 seconds then every 2 seconds if a keepalive fails. Sent on demand rather than periodically like we
have configured is the default. Not all versions of the IOS support this.
Corp(config)#crypto isakmp keepalive 10 2 periodic
Verify configuration with “show crypto isakmp policy”
Global IKE policy
Protection suite of priority 10
encryption algorithm:
hash algorithm:
authentication method:
Diffie-Hellman group:
lifetime:
Default protection suite
encryption algorithm:
hash algorithm:
authentication method:
Diffie-Hellman group:
lifetime:

Three key triple DES
Message Digest 5
Pre-Shared Key
#5 (1536 bit)
3600 seconds, no volume limit
DES - Data Encryption Standard (56 bit keys).
Secure Hash Standard
Rivest-Shamir-Adleman Signature
#1 (768 bit)
86400 seconds, no volume limit

Step 2. – Transform Set
Now we will create the transform set used to protect our data. Our IPSEC tunnel mode will be using 256 bit AES encryption
and sha-1 hmac.

Corp(config)#crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac
Corp(cfg-crypto-trans)#mode tunnel
Various other options are:
Corp(config)#crypto ipsec transform-set MYTSETNAME ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
Verify with “show crypto ipsec transform-set”
Transform set MYTSETNAME: { esp-3des esp-md5-hmac
will negotiate = { Tunnel, },

}

Step 3. – ACL
This step is to create an access-list and define the traffic we would like the router to pass through each VPN tunnel. In this
example, for the first VPN tunnel it would be traffic from headquarters (192.168.0.0/24) to remote site 1 (10.0.0.0/24).
Access-lists that define VPN traffic are sometimes called crypto access-list or interesting traffic access-list. The easiest way
that I found to remember which IP address goes where is with the phrase "me them". "Me" is the router you are working on
and "Them" is the router that you are connection your VPN to.
Corp(config)#ip access-list extended ACL_VPN_CORP_TO_BRANCH
Corp(config-ext-nacl)#remark Allow IP traffic over the CORP_TO_BRANCH VPN
Corp(config-ext-nacl)#permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

Step 4. – Crypto Map
The Crypto Map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together.
We will need one dynamic crypto map for each remote endpoint.
Corp(config)#crypto dynamic-map DYNAMIC_CORP_VPN 10
*NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.
Corp(config-crypto-map)#set security-association lifetime seconds 86400
Corp(config-crypto-map)#set transform-set MYTSETNAME
Corp(config-crypto-map)#match address ACL_VPN_CORP_TO_BRANCH
Then we connect our dynamic-map, DYNAMIC_CORP_VPN, to a static crypto map named CONVERTED_DYNAMICMAP_TO_STATIC-MAP because you cannot apply a dynamic map to an interface.
Corp(config)#crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP 1 ipsec-isakmp
dynamic DYNAMIC_CORP_VPN
Verify with “show crypto map”
Dynamic map template tag: DYNAMIC_CORP_VPN

Crypto Map "CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP" 65536 ipsec-isakmp
Peer = 209.87.55.2
Extended IP access list
access-list permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
dynamic (created from dynamic map DYNAMIC_CORP_VPN/10)
Current peer: 209.87.55.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
MYTSETNAME,
}
Interfaces using crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP:
Serial0/0

Step 5. – Apply
The final step is to apply our crypto map to the public interface of the headquarter router, which is FastEthernet0/1. In many
cases, this might be a serial or ATM (ADSL - Dialer) interface:
Comp(config)#int Serial 0/0
Comp(config-if)#crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP
After you enter the crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP, you will see that ISAKMP is turned
on.
*Mar

1 00:53:23.475: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Note that you can assign only one crypto map to an interface. At this point, we have completed the IPSec VPN configuration
on the Corp router.
We now move to the Branch router to complete the VPN configuration and we can now move to the remote endpoint
router.

------------- Branch Router ------------Our remote router connects to the Internet and is assigned a dynamic IP address which changes periodically by the ISP. In
most part, the configuration is similar to that of the Corp router, but with a few minor changes.
In the configuration below, IP address 50.137.15.9 represents the public IP address of our Corp router.

Step 1. – ISAKMP
Branch(config)#crypto isakmp enable
Branch(config)#crypto isakmp policy 10
Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#hash sha
Branch(config-isakmp)#encryption 3des
Branch(config-isakmp)#group 5
Branch(config-isakmp)#lifetime 3600
Branch(config)#crypto isakmp key K3y4vPnLab address 50.137.15.9
Branch(config)#crypto isakmp keepalive 10 2 periodic

Step 2. – Transform Set
Branch(config)#crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac
Branch(cfg-crypto-trans)#mode tunnel

Step 3. – ACL
Branch(config)#ip access-list extended ACL_VPN_BRANCH_TO_CORP
Branch(config-ext-nacl)#remark Allow IP traffic over the BRANCH_TO_CORP VPN
Branch(config-ext-nacl)#permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

Step 4. – Crypto Map
Branch(config)#crypto map BRANCH_TO_CORP_VPN 10 ipsec-isakmp
Branch(config-crypto-map)#set peer 50.137.15.9
Branch(config-crypto-map)#set transform-set MYTSETNAME
Branch(config-crypto-map)#match address ACL_VPN_BRANCH_TO_CORP
Verify with the “show crypto map”
Crypto Map "BRANCH_TO_CORP_VPN" 10 ipsec-isakmp
Peer = 50.137.15.9
Extended IP access list ACL_VPN_BRANCH_TO_CORP
access-list ACL_VPN_BRANCH_TO_CORP permit ip 10.0.0.0 0.0.0.255
192.168.0.0 0.0.0.255
Current peer: 50.137.15.9
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
MYTSETNAME,
}
Interfaces using crypto map BRANCH_TO_CORP_VPN:
Serial0/0

Step 5. – Apply
Branch(config)#int Serial 0/0
Branch(config-if)#crypto map BRANCH_TO_CORP_VPN

Bringing Up and Verifying the VPN Tunnel
The easiest way to test is by using the ping command with the source option. From the Branch router we ping the
192.168.0.1 interface of the Corp router and use the source address 10.0.0.1 of the Branch router.
Branch#ping 192.168.0.1 source 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/52/56 ms
Now the ping has setup the VPN because of its "tunneled" traffic (the first ping is lost in the VPN creation).
We can verify this with the “show crypto engine connections active” command.

Branch#show crypto
ID Interface
1 Serial0/0
2001 Serial0/0
2002 Serial0/0

engine connections active
IP-Address
State Algorithm
209.87.55.2
set
HMAC_SHA+3DES_56_C
209.87.55.2
set
3DES+MD5
209.87.55.2
set
3DES+MD5

Encrypt
0
0
9

Decrypt
0
5
0

You can see we have one IKE connection and an IPSEC tunnel for each direction.
Some other diagnostic tools are:
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 50.137.15.9 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 50.137.15.9
Desc: (none)
IKE SA: local 209.87.55.2/500 remote 50.137.15.9/500 Active
Capabilities:D connid:1 lifetime:00:41:18
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 4565873/2479
Outbound: #pkts enc'ed 9 drop 6 life (KB/Sec) 4565872/2479
Branch#show crypto isakmp sa
dst
50.137.15.9

src
209.87.55.2

state
QM_IDLE

conn-id slot status
1
0 ACTIVE

The easiest way to clear SAs from a Cisco IOS system varies with version, but one of these two will generally work:
clear crypto isakmp
clear crypto sa
To enable debugging in IOS, you must turn on the debug as well as turn on the debug monitor, which is normally the
terminal you are logged in on:
debug crypto verbose
debug crypto isakmp
term monitor
To disable debugging:
u all
term no monitor
And many many more. Just remember to use the ? at the end of the command as you type it to see what other options
exist. When you only see <cr> by itself then you know here are no other commands possible. You can also use the debug
command too.

Network Address Translation (NAT) and IPSec VPN Tunnels
Network Address Translation (NAT) is most likely going to be configured to provide Internet access to internal hosts. When
configuring a Site-to-Site IPSec VPN tunnel, it is imperative to instruct the router not to perform NAT (deny NAT) on packets
destined to the remote VPN network(s).
This is easily done by inserting a deny statement at the beginning of the NAT access lists as shown below:
For more information on NAT, please see our CCENT/CCNA NAT Labs.
On the Corp router:
Corp(config)#ip nat inside source list 100 interface Serial0/0 overload
Corp(config)#access-list 100 remark Block NAT Service to VPN
Corp(config)#access-list 100 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Corp(config)#access-list 100 permit ip 192.168.0.0 0.0.0.255 any
On the Branch router:
Branch(config)#ip nat inside source list 100 interface Serial0/0 overload
Branch(config)#access-list 100 remark Block NAT Service to VPN
Branch(config)#access-list 100 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
Branch(config)#access-list 100 permit ip 10.0.0.0 0.0.0.255 any

Adding Additional Remote Locations in a Dynamic Site-to-Site VPN
10.0.0.100
s0/0

192.168.0.100
fa0/0

s0/0

192.168.0.1

Internet

50.137.15.9

Branch
10.0.0.1

s0/1

s0/0

Corp

s0/2

fa0/0

Dynamic IP

10.0.20.100

.1
s0/0

VP N

fa0/0
Home
10.0.20.1

Many time you many need to add more than one remote site that gets its IP address dynamically. This is quite easy to
accomplish with just a few additional commands on the Corp router.

------------- Corp Router ------------First we need to add an access-list for each remote network.
Corp(config)#ip access-list extended ACL_VPN_CORP_TO_HOME
Corp(config-ext-nacl)#remark Allow IP traffic over the CORP_TO_HOME VPN
Corp(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 10.0.20.0 0.0.0.255
Then add to the dynamic-map each additional location.
Corp(config)#crypto dynamic-map DYNAMIC_CORP_VPN 20

NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.

Corp(config-crypto-map)#set security-association lifetime seconds 86400
Corp(config-crypto-map)#set transform-set MYTSETNAME
Corp(config-crypto-map)#match address ACL_VPN_CORP_TO_HOME

------------- Home Router ------------Step 1. – ISAKMP
Home(config)#crypto isakmp enable
Home(config)#crypto isakmp policy 10
Home(config-isakmp)#authentication pre-share
Home(config-isakmp)#hash sha
Home(config-isakmp)#encryption 3des
Home(config-isakmp)#group 5
Home(config-isakmp)#lifetime 3600
Home(config)#crypto isakmp key K3y4vPnLab address 50.137.15.9
Home(config)#crypto isakmp keepalive 10 2 periodic

Step 2. – Transform Set
Home(config)#crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac
Home(cfg-crypto-trans)#mode tunnel

Step 3. – ACL
Home(config)#ip access-list extended ACL_VPN_HOME_TO_CORP
Home(config-ext-nacl)#remark Allow IP traffic over the CORP_TO_HOME VPN
Home(config-ext-nacl)#permit ip 10.0.20.0 0.0.0.255 192.168.0.0 0.0.0.255

Step 4. – Crypto Map
Home(config)#crypto map HOME_TO_CORP_VPN 10 ipsec-isakmp
Home(config-crypto-map)#set peer 50.137.15.9
Home(config-crypto-map)#set transform-set MYTSETNAME
Home(config-crypto-map)#match address ACL_VPN_HOME_TO_CORP

Step 5. - NAT Blocking
Home(config)#ip nat inside source list 100 interface Serial0/0 overload
Home(config)#access-list 100 remark Block NAT Service to VPN
Home(config)#access-list 100 deny ip 10.0.20.0 0.0.0.255 192.168.0.0 0.0.0.255
Home(config)#access-list 100 permit ip 10.0.20.0 0.0.0.255 any

Step 5. – Apply
Home(config)#int Serial 0/0
Home(config-if)#crypto map HOME_TO_CORP_VPN

Bringing Up and Verifying the VPN Tunnel

Home#ping 192.168.0.1 source 10.0.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.20.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/52/56 ms
Home#show crypto session
Session status: UP-ACTIVE
Peer: 50.137.15.9 port 500
IKE SA: local 74.29.129.2/500 remote 50.137.15.9/500 Active
IPSEC FLOW: permit ip 10.0.20.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Corp#show crypto session
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 209.87.55.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.87.55.2
Desc: (none)
IKE SA: local 50.137.15.9/500 remote 209.87.55.2/500 Active
Capabilities:D connid:1 lifetime:00:33:16
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4394658/1997
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4394659/1997
Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 74.29.129.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 74.29.129.2
Desc: (none)
IKE SA: local 50.137.15.9/500 remote 74.29.129.2/500 Active
Capabilities:D connid:2 lifetime:00:57:11
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 10.0.20.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4448091/3432
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4448091/3432
Repeat the above steps for each additional location.
Below are the configuration files from each router that I used in this lab.
After you have setup and tested this lab, please blog your experience on our blog site at:
http://netcertlabs.com/netcertlabs-blog
Thank You,

------------- PC and Router configurations ------------***NOTE***
Since we are using DHCP over the point-to-point basic serial interface connections, we use the command ip address
slarp retry 20 command to be able to receive a DHCP address for our ISP router below.
Corp PC
IP Address
Mask
Gateway

192.168.0.100
255.255.255.0
192.168.0.1

Branch PC
IP Address
Mask
Gateway

10.0.0.100
255.255.255.0
10.0.0.1

Home PC
IP Address
Mask
Gateway

10.0.20.100
255.255.255.0
10.0.20.1

Corp Router

!
hostname Corp
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key K3y4vPnLab address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC_CORP_VPN 10
set security-association lifetime seconds 86400
set transform-set MYTSETNAME
match address ACL_VPN_CORP_TO_BRANCH
crypto dynamic-map DYNAMIC_CORP_VPN 20
set security-association lifetime seconds 86400
set transform-set MYTSETNAME
match address ACL_VPN_CORP_TO_HOME
!
crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP 1 ipsec-isakmp dynamic
DYNAMIC_CORP_VPN
!
interface Serial0/0
ip address 50.137.15.9 255.255.255.0
serial restart-delay 0
crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
duplex auto

speed auto
!
ip route 0.0.0.0 0.0.0.0 50.137.15.1
!
ip nat inside source list 100 interface Serial0/0 overload
!
ip access-list extended ACL_VPN_CORP_TO_BRANCH
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
remark Allow IP traffic over the CORP_TO_BRANCH VPN
ip access-list extended ACL_VPN_CORP_TO_HOME
permit ip 192.168.0.0 0.0.0.255 10.0.20.0 0.0.0.255
remark Allow IP traffic over the CORP_TO_HOME VPN
access-list 100 remark Block NAT Service to VPN
access-list 100 deny
ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
Internet Router!
hostname Internet
!
ip dhcp pool ISP-1
network 209.87.55.0 255.255.255.0
dns-server 4.2.2.2
!
ip dhcp pool ISP-2
network 74.29.129.0 255.255.255.0
dns-server 4.2.2.2
!
interface Serial0/0
ip address 50.137.15.1 255.255.255.0
serial restart-delay 0
clock rate 128000
!
interface Serial0/1
ip address 209.87.55.1 255.255.255.0
serial restart-delay 0
clock rate 128000
!
interface Serial0/2
ip address 74.29.129.1 255.255.255.0
serial restart-delay 0
clock rate 128000
!
Branch Router !
hostname Branch
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key K3y4vPnLab address 50.137.15.9
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac

!
crypto map BRANCH_TO_CORP_VPN 10 ipsec-isakmp
set peer 50.137.15.9
set transform-set MYTSETNAME
match address ACL_VPN_BRANCH_TO_CORP
!
interface Serial0/0
ip address slarp retry 20
serial restart-delay 0
crypto map BRANCH_TO_CORP_VPN
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 209.87.55.1
!
ip nat inside source list 100 interface Serial0/0 overload
!
ip access-list extended ACL_VPN_BRANCH_TO_CORP
remark Allow IP traffic over the BRANCH_TO_CORP VPN
permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 remark Block NAT Service to VPN
access-list 100 deny
ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
!
Home Router !
hostname Home
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key K3y4vPnLab address 50.137.15.9
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set MYTSETNAME esp-3des esp-md5-hmac
!
crypto map HOME_TO_CORP_VPN 10 ipsec-isakmp
set peer 50.137.15.9
set transform-set MYTSETNAME
match address ACL_VPN_HOME_TO_CORP
!
interface Serial0/0
ip address slarp retry 20
serial restart-delay 0
crypto map HOME_TO_CORP_VPN
!
interface FastEthernet1/0
ip address 10.0.20.1 255.255.255.0
duplex auto
speed auto
!

ip route 0.0.0.0 0.0.0.0 Serial0/3
!
ip nat inside source list 100 interface Serial0/0 overload
!
ip access-list extended ACL_VPN_HOME_TO_CORP
remark Allow IP traffic over the HOME_TO_CORP VPN
permit ip 10.0.20.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 remark Block NAT Service to VPN
access-list 100 deny
ip 10.0.20.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 10.0.20.0 0.0.0.255 any
!