Configuring V PN LAN-to-LA N Tunnels

This chapter describes how to create a LAN-to-LAN tunnel using IPsec or GRE. For initial LAN-to-LAN tunnel authentication, see "Configuring VPN Tunnel Authentication." A LAN-to-LAN tunnel allows two sites, each with a VPN 5000 concentrator, to securely connect over the Internet or WAN connection. All traffic destined from one LAN to the other is tunneled, without individual hosts having to use VPN 5000 Clients. You can configure a tunnel for a particular partner, or you can configure a generic tunnel to connect to any partner. You can also configure the concentrator to interoperate with third party equipment.

Make sure that the IP address of the port on each end of the tunnel is routable on the network the tunnel runs over. For example, if the tunnel runs over the Internet, the tunnel ends must have Internet-routable addresses. If the tunnel runs over a Frame Relay connection, you can use addresses, including private addresses, that are only routable on the tunnel partner networks.

Configuring an IPsec Tu nnel Partner

The following steps describe how to create an IPsec tunnel from a local interface to an IP address on a remote VPN 5000 concentrator. Complete these steps on both concentrators.

Command Purpose

Step 1

configure Tunnel Partner VPN number
number is a unique identifier for this tunnel, between 0 and one less than the maximum tunnels, for example, 1499.

Step 2

Partner = IP_Address
Specifies the IP address of the interface at the remote end of the tunnel.

Step 3

BindTo = Ethernet port[.sub-interface]
Specifies the local interface or sub-interface that acts as the end point for the tunnel.

Step 4

KeyManage = {Auto | Manual | Initiate | Respond}
Specifies how the concentrator establishes the tunnel.

Use Initiate to establish a tunnel with a generic tunnel partner, described in the "Configuring a Generic Tunnel Partner" section.

Auto, the default setting, specifies that the concentrator uses IKE and that it can either initiate tunnels or respond to tunnel establishment requests from other VPN 5000 concentrators. The SharedKey keyword must be set to the same value for both tunnel partners.

Manual specifies that the concentrator does not use IKE, so you must set the tunnel's encryption and authentication parameters manually using the Authentication, Encryption, EncryptMethod, AuthSecret, and EncryptSecret keywords. Values for all keywords must be the same for both tunnel partners. See the Cisco VPN 5000 Concentrator Series Command Reference Guide for more information about these keywords.

Initiate specifies that the concentrator uses IKE, but only initiates tunnel establishment. It does not respond to tunnel establishment attempts from other concentrators.

Respond specifies that the concentrator uses IKE, but only responds to tunnel establishment attempts from other concentrators. It does not initiate tunnel establishment.

Step 5

Transform = {ESP(SHA,DES) |
ESP(SHA,3DES) | ESP(MD5,DES) |
ESP(MD5,3DES) | ESP(MD5) | ESP(SHA) |
AH(MD5) | AH(SHA) | AH(MD5)+ESP(DES) |
AH(MD5)+ESP(3DES) | AH(SHA)+ESP(DES) |
AH(SHA)+ESP(3DES)}
Sets the authentication and encryption algorithms used for tunnel sessions. ESP(MD5,DES) is the default setting if you do not specify a Transform, and is recommended for most settings.

See "Configuring VPN Groups," for more information about the Transform options.

Step 6

SharedKey = Pass_Phrase
Generates session keys that are used to authenticate and encrypt each packet received or sent through the tunnel. Enter the same key on both concentrators. The Pass_Phrase can be between 1 and 255 characters long.

Step 7

Configure the protocols according to the "Configuring the Protocols" section.

Allows IP, IPX, or AppleTalk packets over the tunnel.

	Command	Purpose
Step 1	configure Tunnel Partner VPN number	number is a unique identifier for this tunnel, between 0 and one less than the maximum tunnels, for example, 1499.
Step 2	Partner = IP_Address	Specifies the IP address of the interface at the remote end of the tunnel.
Step 3	BindTo = Ethernet port[.sub-interface]	Specifies the local interface or sub-interface that acts as the end point for the tunnel.
Step 4	KeyManage = {Auto \| Manual \| Initiate \| Respond}	Specifies how the concentrator establishes the tunnel. Use Initiate to establish a tunnel with a generic tunnel partner, described in the "Configuring a Generic Tunnel Partner" section. Auto, the default setting, specifies that the concentrator uses IKE and that it can either initiate tunnels or respond to tunnel establishment requests from other VPN 5000 concentrators. The SharedKey keyword must be set to the same value for both tunnel partners. Manual specifies that the concentrator does not use IKE, so you must set the tunnel's encryption and authentication parameters manually using the Authentication, Encryption, EncryptMethod, AuthSecret, and EncryptSecret keywords. Values for all keywords must be the same for both tunnel partners. See the Cisco VPN 5000 Concentrator Series Command Reference Guide for more information about these keywords. Initiate specifies that the concentrator uses IKE, but only initiates tunnel establishment. It does not respond to tunnel establishment attempts from other concentrators. Respond specifies that the concentrator uses IKE, but only responds to tunnel establishment attempts from other concentrators. It does not initiate tunnel establishment.
Step 5	Transform = {ESP(SHA,DES) \| ESP(SHA,3DES) \| ESP(MD5,DES) \| ESP(MD5,3DES) \| ESP(MD5) \| ESP(SHA) \| AH(MD5) \| AH(SHA) \| AH(MD5)+ESP(DES) \| AH(MD5)+ESP(3DES) \| AH(SHA)+ESP(DES) \| AH(SHA)+ESP(3DES)}	Sets the authentication and encryption algorithms used for tunnel sessions. ESP(MD5,DES) is the default setting if you do not specify a Transform, and is recommended for most settings. See "Configuring VPN Groups," for more information about the Transform options.
Step 6	SharedKey = Pass_Phrase	Generates session keys that are used to authenticate and encrypt each packet received or sent through the tunnel. Enter the same key on both concentrators. The Pass_Phrase can be between 1 and 255 characters long.
Step 7	Configure the protocols according to the "Configuring the Protocols" section.	Allows IP, IPX, or AppleTalk packets over the tunnel.

To learn more about these and other settings, see the Tunnel Partner section in the Cisco VPN 5000 Concentrator Series Command Reference Guide.

Configuring a G RE Tunnel Partner

The following steps describe how to create a GRE tunnel from a local interface to an IP address on a remote VPN 5000 concentrator. GRE does not provide authentication or encryption like IPsec does. Complete these steps on both concentrators.

	Command	Purpose
Step 1	configure Tunnel Partner VPN number	number is a unique identifier for this tunnel, between 0 and one less than the maximum tunnels, for example, 1499.
Step 2	Partner = IP_Address	Specifies the IP address of the interface at the remote end of the tunnel.
Step 3	BindTo = Ethernet port[.sub-interface]	Specifies the local interface or sub-interface that acts as the end point for the tunnel.
Step 4	KeyManage = Manual	Specifies that the concentrator does not use IKE, so you must set the tunnel's encryption and authentication parameters manually.
Step 5	Authentication = Off	Turns off authentication.
Step 6	Encryption = Off	Turns off encryption.
Step 7	EncryptMethod = None	The concentrator sends packets over the tunnel in the clear in both directions.
Step 8	Configure the protocols according to the "Configuring the Protocols" section.	Allows IP, IPX, or AppleTalk packets over the tunnel.

To learn more about these and other settings, see the Tunnel Partner section in the Cisco VPN 5000 Concentrator Series Command Reference Guide.

Configuring a Ge neric Tunnel Partner

Configure a Tunnel Partner VPN Default section to allow any remote concentrator to connect so long as they are authorized with a SharedKey. A concentrator with a Tunnel Partner VPN Default section acts only as a responder and does not initiate tunnels.

This kind of tunnel only supports IP and differs from the tunnel configured between two specific peers. A generic tunnel does not use routing protocols over the tunnel, so the connection is only between two specified networks. For example, if you want to connect two local networks (100.1.1.0 and 100.1.2.0) to two peer networks (200.1.1.0 and 200.1.2.0), the local concentrator needs to initiate four separate tunnels: 100.1.1.0 to 200.1.1.0, 100.1.1.0 to 200.1.2.0, 100.1.2.0 to 200.1.1.0, and 100.1.2.0 to 200.1.2.0.

Complete these steps on the concentrator that you want to respond to tunnel sessions initiated by any other concentrator, which can be a VPN 5000 concentrator or third party equipment. On the other VPN 5000 concentrator, you can configure an IPsec tunnel or a third party tunnel. See "Interoperating with an IOS Device" section for a sample Cisco IOS configuration that works with this generic tunnel-type, and with a third party tunnel-type.

Command Purpose

Step 1

configure Tunnel Partner VPN Default
Creates a default Tunnel Partner section.

Step 2

Transform = {ESP(SHA,DES) |
ESP(SHA,3DES) | ESP(MD5,DES) |
ESP(MD5,3DES) | ESP(MD5) | ESP(SHA) |
AH(MD5) | AH(SHA) | AH(MD5)+ESP(DES) |
AH(MD5)+ESP(3DES) | AH(SHA)+ESP(DES) |
AH(SHA)+ESP(3DES)}
Sets the authentication and encryption algorithms used for tunnel sessions. ESP(MD5,DES) is the default setting if you do not specify a Transform, and is recommended for most settings.

See "Configuring VPN Groups," for more information about the Transform options.

Step 3

SharedKey = Pass_Phrase
Generates session keys that are used to authenticate and encrypt each packet received or sent through the tunnel. Enter the same key on both concentrators. The Pass_Phrase can be between 1 and 255 characters long.

Step 4

Configure IP according to the "Enabling IP Routing" section.

Allows IP packets over the tunnel.

	Command	Purpose
Step 1	configure Tunnel Partner VPN Default	Creates a default Tunnel Partner section.
Step 2	Transform = {ESP(SHA,DES) \| ESP(SHA,3DES) \| ESP(MD5,DES) \| ESP(MD5,3DES) \| ESP(MD5) \| ESP(SHA) \| AH(MD5) \| AH(SHA) \| AH(MD5)+ESP(DES) \| AH(MD5)+ESP(3DES) \| AH(SHA)+ESP(DES) \| AH(SHA)+ESP(3DES)}	Sets the authentication and encryption algorithms used for tunnel sessions. ESP(MD5,DES) is the default setting if you do not specify a Transform, and is recommended for most settings. See "Configuring VPN Groups," for more information about the Transform options.
Step 3	SharedKey = Pass_Phrase	Generates session keys that are used to authenticate and encrypt each packet received or sent through the tunnel. Enter the same key on both concentrators. The Pass_Phrase can be between 1 and 255 characters long.
Step 4	Configure IP according to the "Enabling IP Routing" section.	Allows IP packets over the tunnel.

Interoperating with Third Party Equipment

The following steps describe how to create an IPsec tunnel from a local interface to an IP address on a third party concentrator. See the "Interoperating with an IOS Device" section for an example of an IOS configuration.

This kind of tunnelonly supports IP and differs from the tunnel configured between two specific VPN 5000 peers. A third party tunnel does not use routing protocols over the tunnel, so the connection is only between two specified networks. For example, if you want to connect two local networks (100.1.1.0 and 100.1.2.0) to two peer networks (200.1.1.0 and 200.1.2.0), the local concentrator needs to initiate four separate tunnels: 100.1.1.0 to 200.1.1.0, 100.1.1.0 to 200.1.2.0, 100.1.2.0 to 200.1.1.0, and 100.1.2.0 to 200.1.2.0.

Command Purpose

Step 1

configure Tunnel Partner VPN number
number is a unique identifier for this tunnel, between 0 and one less than the maximum tunnels, for example, 1499.

Step 2

Partner = IP_Address
Specifies the IP address of the interface at the remote end of the tunnel.

Step 3

BindTo = Ethernet port[.sub-interface]
Specifies the local interface or sub-interface that acts as the end point for the tunnel.

Step 4

KeyManage = {Auto | Manual | Initiate | Respond}
Specifies how the concentrator establishes the tunnel. See Step 4 for a description of the options.

Step 5

Transform = {ESP(SHA,DES) |
ESP(SHA,3DES) | ESP(MD5,DES) |
ESP(MD5,3DES) | ESP(MD5) | ESP(SHA) |
AH(MD5) | AH(SHA) | AH(MD5)+ESP(DES) |
AH(MD5)+ESP(3DES) | AH(SHA)+ESP(DES) |
AH(SHA)+ESP(3DES)}
Sets the authentication and encryption algorithms used for tunnel sessions. ESP(MD5,DES) is the default setting, and is recommended for most settings.

See "Configuring VPN Groups," for more information about the Transform options.

Step 6

SharedKey = Pass_Phrase
Generates session keys that are used to authenticate and encrypt each packet received or sent through the tunnel. Enter the same key on both concentrators. The Pass_Phrase can be between 1 and 255 characters long.

Step 7

If the KeyManage keyword is Manual or Respond, enter:

Mode = {Main | Aggressive}
Sets the IKE Phase 1 negotiation mode between the devices. Phase 1 controls how the two devices identify and authenticate each other so that tunnel sessions can be established. Security settings for the IKE Phase 1 negotiation are set in the IKE Policy section in "Configuring VPN Tunnel Authentication."

Main and Aggressive are the two IPsec standard methods for performing the Phase 1 negotiation. This setting must match the Phase 1 negotiation mode of the remote peer. Other vendors may support only the Main mode.

Step 8

LocalAccess = IP_Address/bits
Specifies a local host or subnet that a peer can reach through the tunnel.

To allow access to only a single host, specify 32 in the bits portion. See the "Subnet Masks" section for a description of /bits.

Step 9

Peer = IP_Address/bits
Specifies a host or subnet connected to the remote tunnel partner that the concentrator can reach through the tunnel.

To allow access to only a single host, specify 32 in the bits portion. See the "Subnet Masks" section for a description of /bits.

Any packets destined for the Peer network are tunneled.

Step 10

Configure IP according to the next section.

Allows IP packets over the tunnel.

	Command	Purpose
Step 1	configure Tunnel Partner VPN number	number is a unique identifier for this tunnel, between 0 and one less than the maximum tunnels, for example, 1499.
Step 2	Partner = IP_Address	Specifies the IP address of the interface at the remote end of the tunnel.
Step 3	BindTo = Ethernet port[.sub-interface]	Specifies the local interface or sub-interface that acts as the end point for the tunnel.
Step 4	KeyManage = {Auto \| Manual \| Initiate \| Respond}	Specifies how the concentrator establishes the tunnel. See Step 4 for a description of the options.
Step 5	Transform = {ESP(SHA,DES) \| ESP(SHA,3DES) \| ESP(MD5,DES) \| ESP(MD5,3DES) \| ESP(MD5) \| ESP(SHA) \| AH(MD5) \| AH(SHA) \| AH(MD5)+ESP(DES) \| AH(MD5)+ESP(3DES) \| AH(SHA)+ESP(DES) \| AH(SHA)+ESP(3DES)}	Sets the authentication and encryption algorithms used for tunnel sessions. ESP(MD5,DES) is the default setting, and is recommended for most settings. See "Configuring VPN Groups," for more information about the Transform options.
Step 6	SharedKey = Pass_Phrase	Generates session keys that are used to authenticate and encrypt each packet received or sent through the tunnel. Enter the same key on both concentrators. The Pass_Phrase can be between 1 and 255 characters long.
Step 7	If the KeyManage keyword is Manual or Respond, enter: Mode = {Main \| Aggressive}	Sets the IKE Phase 1 negotiation mode between the devices. Phase 1 controls how the two devices identify and authenticate each other so that tunnel sessions can be established. Security settings for the IKE Phase 1 negotiation are set in the IKE Policy section in "Configuring VPN Tunnel Authentication." Main and Aggressive are the two IPsec standard methods for performing the Phase 1 negotiation. This setting must match the Phase 1 negotiation mode of the remote peer. Other vendors may support only the Main mode.
Step 8	LocalAccess = IP_Address/bits	Specifies a local host or subnet that a peer can reach through the tunnel. To allow access to only a single host, specify 32 in the bits portion. See the "Subnet Masks" section for a description of /bits.
Step 9	Peer = IP_Address/bits	Specifies a host or subnet connected to the remote tunnel partner that the concentrator can reach through the tunnel. To allow access to only a single host, specify 32 in the bits portion. See the "Subnet Masks" section for a description of /bits. Any packets destined for the Peer network are tunneled.
Step 10	Configure IP according to the next section.	Allows IP packets over the tunnel.

Configuring the Prot ocols

After creating the Tunnel Partner section, you need to configure the protocols you want to allow over the tunnel. All tunnel types support IP traffic, and IPsec and GRE tunnels also support IPX and AppleTalk.

Enabling IP Routing

For all tunnel types, configure IP:

Command Purpose

Step 1

configure IP VPN {Tunnel_Partner_Number | Default}
Tunnel_Partner_Number is the number you assigned to the VPN tunnel. Use Default for a generic Tunnel Partner section.

Step 2

mode = routed
Turns on routing for the protocol.

Step 3

numbered = Off
Turns off IP address numbering.

Step 4

For IPsec or GRE tunnels, configure a routing protocol or static routes according to the "Configuring the Dynamic Routing Protocol" section or the "Configuring Static Routes" section.

For a static route, specify the gateway Port as VPN number. For example:

10.2.1.0 255.255.255.0 VPN 1 1

	Command	Purpose
Step 1	configure IP VPN {Tunnel_Partner_Number \| Default}	Tunnel_Partner_Number is the number you assigned to the VPN tunnel. Use Default for a generic Tunnel Partner section.
Step 2	mode = routed	Turns on routing for the protocol.
Step 3	numbered = Off	Turns off IP address numbering.
Step 4	For IPsec or GRE tunnels, configure a routing protocol or static routes according to the "Configuring the Dynamic Routing Protocol" section or the "Configuring Static Routes" section.	For a static route, specify the gateway Port as VPN number. For example: 10.2.1.0 255.255.255.0 VPN 1 1

Enabling IPX Routing

For IPsec or GRE tunnels, configure IPX:

Command Purpose

Step 1

configure IPX VPN Tunnel_Partner_Number
Tunnel_Partner_Number is the number you assigned to the tunnel.

Step 2

Mode = Routed
Turns on routing.

Step 3

Numbered = On
Specifies that the interface has a network number.

Step 4

Net = Network_Number
Network_Number is a hexadecimal number between 1 and FFFFFFFE assigned to the IPX network. Be sure to use the same number for the other end of the Frame Relay link.

	Command	Purpose
Step 1	configure IPX VPN Tunnel_Partner_Number	Tunnel_Partner_Number is the number you assigned to the tunnel.
Step 2	Mode = Routed	Turns on routing.
Step 3	Numbered = On	Specifies that the interface has a network number.
Step 4	Net = Network_Number	Network_Number is a hexadecimal number between 1 and FFFFFFFE assigned to the IPX network. Be sure to use the same number for the other end of the Frame Relay link.

Enabling AppleTalk Routing

For IPsec or GRE tunnels, configure AppleTalk:

Command Purpose

Step 1

configure AppleTalk VPN Tunnel_Partner_Number
Tunnel_Partner_Number is the number you assigned to the VPN tunnel.

Step 2

Mode = Routed
Turns on routing.

Step 3

Numbered = On
Specifies that the interface has a network number.

Step 4

NetLower = Number
Specifies the network number between 1 and 65279. Each network number supports up to 253 node addresses. Make sure the AppleTalk network number is not in use on another network segment.

Step 5

Node = Number
Specifies the node number between 1 and 253 and must be unique for the network defined by NetLower.

Step 6

DefZone = "Zone_Name"
Defines the default AppleTalk zone name. Zone names can be up to 32 characters in length and can include spaces.

	Command	Purpose
Step 1	configure AppleTalk VPN Tunnel_Partner_Number	Tunnel_Partner_Number is the number you assigned to the VPN tunnel.
Step 2	Mode = Routed	Turns on routing.
Step 3	Numbered = On	Specifies that the interface has a network number.
Step 4	NetLower = Number	Specifies the network number between 1 and 65279. Each network number supports up to 253 node addresses. Make sure the AppleTalk network number is not in use on another network segment.
Step 5	Node = Number	Specifies the node number between 1 and 253 and must be unique for the network defined by NetLower.
Step 6	DefZone = "Zone_Name"	Defines the default AppleTalk zone name. Zone names can be up to 32 characters in length and can include spaces.

Table of Contents

Configuring VPN LAN-to-LAN Tunnels