===== Cisco IOS Site to Site VPNs =====
{{tag>Cisco IOS}}

==== Description ====

{{ :images:routing:cisco-ios-sts-vpn-01.png?nolink |}}

^ Router ^ Public IP  ^ Private IP ^ Local Site VPCS ^
| 101    | 12.101.0.2 | 10.101.0.1 | 10.101.0.10     |
| 102    | 12.102.0.2 | 10.102.0.1 | 10.102.0.10     |
| 103    | 12.103.0.2 | 10.103.0.1 | 10.103.0.10     |
| 104    | 12.104.0.2 | 10.104.0.1 | 10.104.0.10     |
| 105    | 12.105.0.2 | 10.105.0.1 | 10.105.0.10     |

==== Configurations ====

=== Router 101 ===
<file>
! 
crypto keyring keyring-vpn 
  local-address 12.101.0.2
  pre-shared-key address 12.103.0.2 key tunvpnkey
  pre-shared-key address 12.105.0.2 key tunvpnkey
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key vpnkey address 12.102.0.2
crypto isakmp key vpnkey address 12.104.0.2
crypto isakmp profile isakmp-vpn
   keyring keyring-vpn
   match identity address 12.103.0.2 255.255.255.255 
   match identity address 12.105.0.2 255.255.255.255 
   local-address 12.101.0.2
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac 
!
crypto ipsec profile ipsec-profile
 set transform-set tset-vpn 
 set pfs group5
!
crypto map cmap-vpn 10 ipsec-isakmp 
 set peer 12.102.0.2
 set transform-set tset-vpn 
 set pfs group5
 match address acl-vpn-102
crypto map cmap-vpn 20 ipsec-isakmp 
 set peer 12.104.0.2
 set transform-set tset-vpn 
 set pfs group5
 match address acl-vpn-104
!
interface Tunnel1
 ip address 172.16.1.1 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1379
 tunnel source 12.101.0.2
 tunnel destination 12.103.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
!
interface Tunnel2
 ip address 172.16.2.1 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1379
 tunnel source 12.101.0.2
 tunnel destination 12.105.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
!
interface FastEthernet0/0
 ip address 12.101.0.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map cmap-vpn
!
interface FastEthernet0/1
 ip address 10.101.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 12.101.0.1
ip route 10.103.0.0 255.255.0.0 Tunnel1
ip route 10.105.0.0 255.255.0.0 Tunnel2
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
 deny   ip 10.101.0.0 0.0.255.255 10.102.0.0 0.0.255.255
 deny   ip 10.101.0.0 0.0.255.255 10.104.0.0 0.0.255.255
 permit ip 10.101.0.0 0.0.255.255 any
ip access-list extended acl-vpn-102
 permit ip 10.101.0.0 0.0.255.255 10.102.0.0 0.0.255.255
 permit ip 10.103.0.0 0.0.255.255 10.102.0.0 0.0.255.255
 permit ip 10.104.0.0 0.0.255.255 10.102.0.0 0.0.255.255
 permit ip 10.105.0.0 0.0.255.255 10.102.0.0 0.0.255.255
ip access-list extended acl-vpn-104
 permit ip 10.101.0.0 0.0.255.255 10.104.0.0 0.0.255.255
 permit ip 10.102.0.0 0.0.255.255 10.104.0.0 0.0.255.255
 permit ip 10.103.0.0 0.0.255.255 10.104.0.0 0.0.255.255
 permit ip 10.105.0.0 0.0.255.255 10.104.0.0 0.0.255.255
!
route-map rmap-nat permit 10
 match ip address acl-nat
!
</file>

=== Router 102 ===
<file>
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key vpnkey address 12.101.0.2
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac 
!
crypto map cmap-vpn 10 ipsec-isakmp 
 set peer 12.101.0.2
 set transform-set tset-vpn 
 set pfs group5
 match address acl-vpn-101
!
interface FastEthernet0/0
 ip address 12.102.0.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map cmap-vpn
!
interface FastEthernet0/1
 ip address 10.102.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 12.102.0.1
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
 deny   ip 10.102.0.0 0.0.255.255 10.101.0.0 0.0.255.255
 deny   ip 10.102.0.0 0.0.255.255 10.103.0.0 0.0.255.255
 deny   ip 10.102.0.0 0.0.255.255 10.104.0.0 0.0.255.255
 deny   ip 10.102.0.0 0.0.255.255 10.105.0.0 0.0.255.255
 permit ip 10.102.0.0 0.0.255.255 any
ip access-list extended acl-vpn-101
 permit ip 10.102.0.0 0.0.255.255 10.101.0.0 0.0.255.255
 permit ip 10.102.0.0 0.0.255.255 10.103.0.0 0.0.255.255
 permit ip 10.102.0.0 0.0.255.255 10.104.0.0 0.0.255.255
 permit ip 10.102.0.0 0.0.255.255 10.105.0.0 0.0.255.255
!
route-map rmap-nat permit 10
 match ip address acl-nat
!
</file>

=== Router 103 ===
<file>
! 
crypto keyring keyring-vpn 
  local-address 12.103.0.2
  pre-shared-key address 12.101.0.2 key tunvpnkey
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp profile isakmp-vpn
   keyring keyring-vpn
   match identity address 12.101.0.2 255.255.255.255 
   local-address 12.103.0.2
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac 
!
crypto ipsec profile ipsec-profile
 set transform-set tset-vpn 
 set pfs group5
!
interface Tunnel1
 ip address 172.16.1.3 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1379
 tunnel source 12.103.0.2
 tunnel destination 12.101.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
!
interface FastEthernet0/0
 ip address 12.103.0.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.103.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 12.103.0.1
ip route 10.101.0.0 255.255.0.0 Tunnel1
ip route 10.102.0.0 255.255.0.0 Tunnel1
ip route 10.104.0.0 255.255.0.0 Tunnel1
ip route 10.105.0.0 255.255.0.0 Tunnel1
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
 permit ip 10.103.0.0 0.0.255.255 any
!
route-map rmap-nat permit 10
 match ip address acl-nat
!
</file>

=== Router 104 ===
<file>
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key vpnkey address 12.101.0.2
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac 
!
crypto map cmap-vpn 10 ipsec-isakmp 
 set peer 12.101.0.2
 set transform-set tset-vpn 
 set pfs group5
 match address acl-vpn-101
!
interface FastEthernet0/0
 ip address 12.104.0.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map cmap-vpn
!
interface FastEthernet0/1
 ip address 10.104.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 12.104.0.1
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
 deny   ip 10.104.0.0 0.0.255.255 10.101.0.0 0.0.255.255
 deny   ip 10.104.0.0 0.0.255.255 10.102.0.0 0.0.255.255
 deny   ip 10.104.0.0 0.0.255.255 10.103.0.0 0.0.255.255
 deny   ip 10.104.0.0 0.0.255.255 10.105.0.0 0.0.255.255
 permit ip 10.104.0.0 0.0.255.255 any
ip access-list extended acl-vpn-101
 permit ip 10.104.0.0 0.0.255.255 10.101.0.0 0.0.255.255
 permit ip 10.104.0.0 0.0.255.255 10.102.0.0 0.0.255.255
 permit ip 10.104.0.0 0.0.255.255 10.103.0.0 0.0.255.255
 permit ip 10.104.0.0 0.0.255.255 10.105.0.0 0.0.255.255
!
route-map rmap-nat permit 10
 match ip address acl-nat
!
</file>

=== Router 105 ===
<file>
! 
crypto keyring keyring-vpn 
  local-address 12.105.0.2
  pre-shared-key address 12.101.0.2 key tunvpnkey
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp profile isakmp-vpn
   keyring keyring-vpn
   match identity address 12.101.0.2 255.255.255.255 
   local-address 12.105.0.2
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac 
!
crypto ipsec profile ipsec-profile
 set transform-set tset-vpn 
 set pfs group5
!
interface Tunnel2
 ip address 172.16.2.5 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1379
 tunnel source 12.105.0.2
 tunnel destination 12.101.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-profile
!
interface FastEthernet0/0
 ip address 12.105.0.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.105.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 12.105.0.1
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
 permit ip 10.105.0.0 0.0.255.255 any
!
route-map rmap-nat permit 10
 match ip address acl-nat
!
</file>

=== Public ===
<file>
!
interface FastEthernet0/0
 ip address 12.101.0.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.102.0.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 12.103.0.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet2/0
 ip address 12.104.0.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet3/0
 ip address 12.105.0.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet4/0
 ip address 12.106.0.1 255.255.255.252
 duplex auto
 speed auto
!
</file>