🌐 VPN Lab Topology (Router-based Internet)
A VPN (Virtual Private Network) is a technology that creates a secure, encrypted connection over an insecure network like the Internet.
https://www.devglan.com/online-tools/text-encryption-decryption
https://www.devglan.com/online-tools/aes-encryption-decryption
Cisco 1841 is commonly used in labs for:
- Site-to-Site IPsec VPN
- Remote Access VPN (legacy)
It can handle:
- Crypto-based tunnels (IPSec)
- Pre-shared keys
- Basic encryption acceleration (with AIM module)
🔐 Simple idea
Think of VPN like a private tunnel inside the public Internet:
- Without VPN → your data travels openly and can be read
- With VPN → your data is encrypted, so only the correct devices can understand it
🌐 How it works (basic view)
- Your device sends data to a VPN device (router/server)
- The VPN encrypts the data
- The encrypted data travels through the Internet as encrypted tunnel
- The other side VPN device decrypts it
- Then it reaches the destination safely
🏢 Example (Site-to-Site VPN)
- Branch A (192.168.10.0) wants to talk to Branch B (192.168.20.0)
- Traffic goes through the Internet
- But routers R1 and R2 create a secure IPsec tunnel
- So communication looks like a private network
🔑 Key points
- 🔒 Encryption → protects data from hackers
- 🛣️ Tunnel → logical secure path over Internet
- 🌍 Uses public network but behaves like private network
- 🏢 Common in companies connecting multiple offices
📌 Types of VPN
- Site-to-Site VPN → connects two offices (router to router)
- Remote Access VPN → user connects to company network from home
Difference between Site-to-Site VPN and Remote Access VPN?
| Site-to-Site VPN | Remote Access VPN |
|---|---|
| Connects two networks | Connects an individual user to a network |
| VPN gateway to VPN gateway | VPN client to VPN gateway |
| No client software required at branch routers | Usually requires VPN client software (or browser-based SSL VPN) |
🌐 VPN Packet Tracer Lab Topology (Router-based Internet)
🧭 Topology Overview
INTERNET (ISP)
+----------------+
| R3 |
| ISP Router |
+----------------+
G0/0 203.0.113.2/30 G0/1 198.51.100.2/30
| |
| |
| |
G0/0 203.0.113.1/30 G0/0 198.51.100.1/30
+---------+ +---------+
| R1 |===============| R2 |
| Branch A| VPN Tunnel | Branch B|
+---------+ +---------+
G0/1 192.168.10.1/24 G0/1 192.168.20.1/24
| |
| |
+--------+ +--------+
| SW1 | | SW2 |
+--------+ +--------+
| |
PC1 PC2
192.168.10.10/24 192.168.20.10/24
GW 192.168.10.1 GW 192.168.20.1
🧱 Device Roles
🏢 Branch A
- PC1 → End device
- SW1 → Layer 2 switch
- R1 → Edge router (VPN endpoint)
🌍 Internet (Simulated WAN)
- R3 → Acts as ISP / Internet router (no VPN config here)
🏢 Branch B
- PC2 → End device
- SW2 → Layer 2 switch
- R2 → Edge router (VPN endpoint)
📦 IP Addressing Plan
LAN A
-
Network:
192.168.10.0/24 -
R1 G0/0 →
192.168.10.1 -
PC1 →
192.168.10.10
LAN B
-
Network:
192.168.20.0/24 -
R2 G0/0 →
192.168.20.1 -
PC2 →
192.168.20.10
WAN (Internet links)
-
R1 ↔ R3 →
203.0.113.0/30-
R1:
203.0.113.2 -
R3:
203.0.113.1
-
R1:
-
R2 ↔ R3 →
198.51.100.0/30-
R2:
198.51.100.2 -
R3:
198.51.100.1
-
R2:
🔐 VPN Goal
👉 PC1 (LAN A) should securely communicate with PC2 (LAN B) over “Internet (R3)”
Without VPN:
- Traffic is routed normally but NOT encrypted
With VPN:
- Traffic between R1 ↔ R2 is encrypted (IPsec tunnel)
⚙️ Basic Configuration Steps
1️⃣ Configure IP addressing
- Assign IPs to all router interfaces
- Configure PCs with default gateway
2️⃣ Enable routing (basic test first)
You can use:
- Static routes
Example static route:
R1
ip route 192.168.20.0 255.255.255.0 203.0.113.1
R2
ip route 192.168.10.0 255.255.255.0 198.51.100.1
R3 (Internet router)
ip route 192.168.10.0 255.255.255.0 203.0.113.2
ip route 192.168.20.0 255.255.255.0 198.51.100.2
3️⃣ Configure VPN (IPsec Site-to-Site)
🔐 Step A: ISAKMP policy (Phase 1)
On R1 and R2:
crypto isakmp policy 10
encryption aes
hash sha
authentication pre-share
group 2
🔐 Step B: Pre-shared key
R1:
crypto isakmp key cisco123 address 198.51.100.2
R2:
crypto isakmp key cisco123 address 203.0.113.2
🔐 Step C: Transform set (Phase 2)
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
🔐 Step D: ACL (interesting traffic)
R1:
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
R2:
access-list 110 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
🔐 Step E: Crypto map
R1:
crypto map VPN-MAP 10 ipsec-isakmp
set peer 198.51.100.2
set transform-set VPN-SET
match address 110
Apply:
interface g0/1
crypto map VPN-MAP
R2 similar:
crypto map VPN-MAP 10 ipsec-isakmp
set peer 203.0.113.2
set transform-set VPN-SET
match address 110
🧪 Testing
Before VPN
- Ping PC1 → PC2 (may work but NOT encrypted)
After VPN
Check:
show crypto ipsec sa
show crypto isakmp sa
Then ping again:
PC1 → ping 192.168.20.10
🧠 Key Concept (Important for Exams)
✔ R3 (Internet router) does NOT participate in VPN
✔ VPN is only between R1 ↔ R2
✔ Internet is just a transit network
✔ Encryption happens at edge routers only
Remote Access VPN
Topology
Use 1841 as R1
INTERNET
100.1.1.0 /24
+------------------+
| SW-ISP |
| Cisco 2960 |
+------------------+
| |
| |
G0/0 | | Fa0
100.1.1.1/24 | |100.1.1.2/24
+-----------+ +---------------+
| R1 1841 | | VPN Client |
| VPN Server| | Remote User |
+-----------+ +---------------+
|
G0/1
192.168.10.1/24
|
|
+-----------+
| SW1 |
| Cisco2960 |
+-----------+
|
|
Fa0 |
192.168.10.10/24
+-----------+
| PC1 |
+-----------+How the Remote Access VPN Works
VPN Client
100.1.1.2
│
│ Internet
▼
==========================
Encrypted VPN Tunnel
==========================
│
▼
R1 (VPN Server)
100.1.1.1
│
192.168.10.1
│
Switch
│
PC1
192.168.10.10
IP Addressing
| Device | Interface | IP Address |
|---|---|---|
| R1 | G0/0 | 10.1.1.1/24 |
| R1 | G0/1 | 192.168.10.1/24 |
| PC1 | NIC | 192.168.10.10/24 |
| VPN Client | NIC | 10.1.1.2/24 |
Step 1: Configure Router Interfaces
enable
configure terminal
hostname R1
interface g0/0
ip address 10.1.1.1 255.255.255.0
no shutdown
interface g0/1
ip address 192.168.10.1 255.255.255.0
no shutdown
Step 2: Create a Local VPN User
username vpnuser secret Cisco123
Step 3: Enable AAA
aaa new-model
aaa authentication login default local
Step 4: Configure ISAKMP (IKE Phase 1)
crypto isakmp policy 10
encryption aes
hash sha
authentication pre-share
group 2
lifetime 86400
Configure the pre-shared key:
crypto isakmp key cisco address 0.0.0.0
Step 5: Configure IPsec
crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac
Step 6: Configure Interesting Traffic
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
Step 7: Create and Apply the Crypto Map
crypto map VPNMAP 10 ipsec-isakmp
set peer 100.1.1.2
set transform-set VPNSET
match address 110
interface g0/0
crypto map VPNMAP
Router(config)#ip route 192.168.10.0 255.255.255.0 192.168.10.10
Step 8: Configure the VPN Client
Open the VPN Client device and go to Desktop → VPN.
Enter:
| Setting | Value |
|---|---|
| Server Address | 100.1.1.1 |
| Username | vpnuser |
| Password | Cisco123 |
| Pre-Shared Key | cisco |
Click Connect.
Step 9: Verify the Tunnel
On R1:
Then:
show crypto ipsec sa
You should see encrypted packet counters increase after sending traffic.
Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: VPNMAP, local addr 100.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 100.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 100.1.1.1, remote crypto endpt.:100.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
Router#show crypto map
Crypto Map VPNMAP 10 ipsec-isakmp
Peer = 100.1.1.2
Extended IP access list 110
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
Current peer: 100.1.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
VPNSET,
}
Interfaces using crypto map VPNMAP:
FastEthernet0/1
Step 10: Test Connectivity
From the VPN Client:
ping 192.168.10.10
A successful reply confirms the VPN tunnel is working.
Remote VPN stuck at MM_No_state search in cisco.com
Comments
Post a Comment