🌐 VPN Lab Topology (Router-based Internet)

 A VPN (Virtual Private Network) is a technology that creates a secure, encrypted connection over an insecure network like the Internet.

https://www.devglan.com/online-tools/text-encryption-decryption

https://www.devglan.com/online-tools/aes-encryption-decryption


Cisco 1841 is commonly used in labs for:

  • Site-to-Site IPsec VPN
  • Remote Access VPN (legacy)

It can handle:

  • Crypto-based tunnels (IPSec)
  • Pre-shared keys
  • Basic encryption acceleration (with AIM module)

🔐 Simple idea

Think of VPN like a private tunnel inside the public Internet:

  • Without VPN → your data travels openly and can be read
  • With VPN → your data is encrypted, so only the correct devices can understand it

🌐 How it works (basic view)

  1. Your device sends data to a VPN device (router/server)
  2. The VPN encrypts the data
  3. The encrypted data travels through the Internet as encrypted tunnel 
  4. The other side VPN device decrypts it
  5. Then it reaches the destination safely

🏢 Example (Site-to-Site VPN)

  • Branch A (192.168.10.0) wants to talk to Branch B (192.168.20.0)
  • Traffic goes through the Internet
  • But routers R1 and R2 create a secure IPsec tunnel
  • So communication looks like a private network

🔑 Key points

  • 🔒 Encryption → protects data from hackers
  • 🛣️ Tunnel → logical secure path over Internet
  • 🌍 Uses public network but behaves like private network
  • 🏢 Common in companies connecting multiple offices

📌 Types of VPN

  • Site-to-Site VPN → connects two offices (router to router)
  • Remote Access VPN → user connects to company network from home
  • Remote Access VPN: One VPN client connects securely to a VPN server/router to access an internal network.
  • Site-to-Site VPN: Two VPN gateways (routers/firewalls) create a permanent encrypted tunnel between two networks.
  • Difference between Site-to-Site VPN and Remote Access VPN?

    Site-to-Site VPNRemote Access VPN
    Connects two networksConnects an individual user to a network
    VPN gateway to VPN gatewayVPN client to VPN gateway
    No client software required at branch routersUsually requires VPN client software (or browser-based SSL VPN)

    🌐 VPN Packet Tracer Lab Topology (Router-based Internet)

    🧭 Topology Overview

                      INTERNET (ISP)

    +----------------+
    | R3 |
    | ISP Router |
    +----------------+
    G0/0 203.0.113.2/30 G0/1 198.51.100.2/30
    | |
    | |
    | |
    G0/0 203.0.113.1/30 G0/0 198.51.100.1/30
    +---------+ +---------+
    | R1 |===============| R2 |
    | Branch A| VPN Tunnel | Branch B|
    +---------+ +---------+
        G0/1 192.168.10.1/24 G0/1 192.168.20.1/24
    | |
    | |
    +--------+ +--------+
    | SW1 | | SW2 |
    +--------+ +--------+
    | |
    PC1 PC2
        192.168.10.10/24 192.168.20.10/24
        GW 192.168.10.1 GW 192.168.20.1

    🧱 Device Roles

    🏢 Branch A

    • PC1 → End device
    • SW1 → Layer 2 switch
    • R1 → Edge router (VPN endpoint)

    🌍 Internet (Simulated WAN)

    • R3 → Acts as ISP / Internet router (no VPN config here)

    🏢 Branch B

    • PC2 → End device
    • SW2 → Layer 2 switch
    • R2 → Edge router (VPN endpoint)

    📦 IP Addressing Plan

    LAN A

    • Network: 192.168.10.0/24
    • R1 G0/0 → 192.168.10.1
    • PC1 → 192.168.10.10

    LAN B

    • Network: 192.168.20.0/24
    • R2 G0/0 → 192.168.20.1
    • PC2 → 192.168.20.10

    WAN (Internet links)

    • R1 ↔ R3 → 203.0.113.0/30
      • R1: 203.0.113.2
      • R3: 203.0.113.1
    • R2 ↔ R3 → 198.51.100.0/30
      • R2: 198.51.100.2
      • R3: 198.51.100.1

    🔐 VPN Goal

    👉 PC1 (LAN A) should securely communicate with PC2 (LAN B) over “Internet (R3)”

    Without VPN:

    • Traffic is routed normally but NOT encrypted

    With VPN:

    • Traffic between R1 ↔ R2 is encrypted (IPsec tunnel)

    ⚙️ Basic Configuration Steps

    1️⃣ Configure IP addressing

    • Assign IPs to all router interfaces
    • Configure PCs with default gateway

    2️⃣ Enable routing (basic test first)

    You can use:

    • Static routes 

    Example static route:

    R1

    ip route 192.168.20.0 255.255.255.0 203.0.113.1

    R2

    ip route 192.168.10.0 255.255.255.0 198.51.100.1

    R3 (Internet router)

    ip route 192.168.10.0 255.255.255.0 203.0.113.2
    ip route 192.168.20.0 255.255.255.0 198.51.100.2

    3️⃣ Configure VPN (IPsec Site-to-Site)

    🔐 Step A: ISAKMP policy (Phase 1)

    On R1 and R2:

    crypto isakmp policy 10
    encryption aes
    hash sha
    authentication pre-share
    group 2

    🔐 Step B: Pre-shared key

    R1:

    crypto isakmp key cisco123 address 198.51.100.2

    R2:

    crypto isakmp key cisco123 address 203.0.113.2

    🔐 Step C: Transform set (Phase 2)

    crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

    🔐 Step D: ACL (interesting traffic)

    R1:

    access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

    R2:

    access-list 110 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

    🔐 Step E: Crypto map

    R1:

    crypto map VPN-MAP 10 ipsec-isakmp
    set peer 198.51.100.2
    set transform-set VPN-SET
    match address 110

    Apply:

    interface g0/1
    crypto map VPN-MAP

    R2 similar:

    crypto map VPN-MAP 10 ipsec-isakmp
    set peer 203.0.113.2
    set transform-set VPN-SET
    match address 110

    🧪 Testing

    Before VPN

    • Ping PC1 → PC2 (may work but NOT encrypted)

    After VPN

    Check:

    show crypto ipsec sa
    show crypto isakmp sa

    Then ping again:

    PC1 → ping 192.168.20.10

    🧠 Key Concept (Important for Exams)

    ✔ R3 (Internet router) does NOT participate in VPN
    ✔ VPN is only between R1 ↔ R2
    ✔ Internet is just a transit network
    ✔ Encryption happens at edge routers only


    Remote Access VPN 

    Topology  

    Use 1841 as R1

                           INTERNET
    100.1.1.0 /24

    +------------------+
    | SW-ISP |
    | Cisco 2960 |
    +------------------+
    | |
    | |
    G0/0 | | Fa0
    100.1.1.1/24 | |100.1.1.2/24
    +-----------+ +---------------+
    | R1 1841 | | VPN Client |
    | VPN Server| | Remote User |
    +-----------+ +---------------+
         |
                    G0/1
             192.168.10.1/24
    |
    |
    +-----------+
    | SW1 |
    | Cisco2960 |
    +-----------+
    |
    |
    Fa0 |
    192.168.10.10/24
    +-----------+
    | PC1 |
    +-----------+








    How the Remote Access VPN Works

    VPN Client
    100.1.1.2

    │ Internet

    ==========================
    Encrypted VPN Tunnel
    ==========================


    R1 (VPN Server)
    100.1.1.1

    192.168.10.1

    Switch

    PC1
    192.168.10.10

    IP Addressing

    DeviceInterfaceIP Address
    R1G0/010.1.1.1/24
    R1G0/1192.168.10.1/24
    PC1NIC192.168.10.10/24
    VPN ClientNIC10.1.1.2/24

    Step 1: Configure Router Interfaces

    enable
    configure terminal

    hostname R1

    interface g0/0
    ip address 10.1.1.1 255.255.255.0
    no shutdown

    interface g0/1
    ip address 192.168.10.1 255.255.255.0
    no shutdown

    Step 2: Create a Local VPN User

    username vpnuser secret Cisco123

    Step 3: Enable AAA

    aaa new-model
    aaa authentication login default local

    Step 4: Configure ISAKMP (IKE Phase 1)

    crypto isakmp policy 10
    encryption aes
    hash sha
    authentication pre-share
    group 2
    lifetime 86400

    Configure the pre-shared key:

    crypto isakmp key cisco address 0.0.0.0

    Step 5: Configure IPsec

    crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac

    Step 6: Configure Interesting Traffic

    access-list 110 permit ip 192.168.10.0 0.0.0.255 any

    Step 7: Create and Apply the Crypto Map

    crypto map VPNMAP 10 ipsec-isakmp
    set peer 100.1.1.2
    set transform-set VPNSET
    match address 110

    interface g0/0
    crypto map VPNMAP



    Router(config)#ip route 192.168.10.0 255.255.255.0 192.168.10.10

    Step 8: Configure the VPN Client

    Open the VPN Client device and go to Desktop → VPN.

    Enter:

    SettingValue
    Server Address100.1.1.1
    Usernamevpnuser
    PasswordCisco123
    Pre-Shared Keycisco

    Click Connect.


    Step 9: Verify the Tunnel

    On R1:

    show crypto isakmp sa


    Expected:

    QM_IDLE



    Then:

    show crypto ipsec sa

    You should see encrypted packet counters increase after sending traffic.


    Router#show crypto ipsec sa


    interface: FastEthernet0/1

    Crypto map tag: VPNMAP, local addr 100.1.1.1


    protected vrf: (none)

    local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

    remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

    current_peer 100.1.1.2 port 500

    PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0


    local crypto endpt.: 100.1.1.1, remote crypto endpt.:100.1.1.2

    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

    current outbound spi: 0x0(0)

    Router#show crypto map

    Crypto Map VPNMAP 10 ipsec-isakmp

    Peer = 100.1.1.2

    Extended IP access list 110

    access-list 110 permit ip 192.168.10.0 0.0.0.255 any

    Current peer: 100.1.1.2

    Security association lifetime: 4608000 kilobytes/3600 seconds

    PFS (Y/N): N

    Transform sets={

    VPNSET,

    }

    Interfaces using crypto map VPNMAP:

    FastEthernet0/1


    Step 10: Test Connectivity

    From the VPN Client:

    ping 192.168.10.10

    A successful reply confirms the VPN tunnel is working.



    Remote VPN stuck at MM_No_state search in cisco.com

    Comments

    Popular posts from this blog

    🖧 VLAN (Virtual Local Area Network)

    🌐 NAT (Network Address Translation)

    🛰️ OSPF (Open Shortest Path First)