Hello everyone, and welcome back to my little corner of the Internet. I always take inspiration from what I’m currently working on in my day job when putting together an idea for a post and/or video.… Read more on Cisco Blogs

Hello everyone, and welcome back to my little corner of the Internet. I always take inspiration from what I’m currently working on in my day job when putting together an idea for a post and/or video. Right now, we’re building a new data center to host the hands-on lab environments for learners, whether you’re training in Cisco U. or taking a course with your favorite Cisco instructor. As you may know, A LOT goes into building a new data center. But since I’m working on building the IPSEC VPN connections between this new data center and the others in our network, let’s narrow it down and take a technical look at IPSEC VPN tunnel creation.

In this blog post and the accompanying video, I’ll cover the IPSEC VPN tunnel creation process. We’ll explore “Phase 1” and “Phase 2” and take a look at how the ACLs that identify “interesting traffic” impact the security associations that are built. We’ll even look at the packets involved in the communications as tunnels are set up. If that sounds good to you, continue on, network adventurer!

A Technical Look at IPSEC VPN Tunnel Creation

“Technically Speaking… with Hank Preston” is a segment on The U. series.

Available on the Cisco U. by Learning and Certifications YouTube Channel. View Playlist

If you’re new here, I’m Hank Preston, Principal Engineer on the Labs and Systems team in Cisco Learning and Certifications. I’ve been building IPSEC VPNs for almost my entire career as a network engineer. In fact, one of my first jobs as a shiny new network engineer was building out IPSEC VPN connections using Cisco PIX firewalls for a Cisco Partner. For me, that meant taking the configuration templates built by the team’s more senior engineers and updating them with the details for a particular tunnel creation.

It wasn’t a problem… until there was one. You see, I didn’t really know what all the commands did back then. So when things didn’t work right away, finding the problem and knowing how to fix it was a bit of a mystery to me. Thankfully, there were some very good mentors and senior engineers to guide me.

I had to learn the commands to run to help me determine the problem and how to fix it. It was during these troubleshooting sessions I first learned terms like “Phase 1,” “Phase 2,” “Main Mode,” “Quick Mode,” and “Aggressive Mode,” as well as the protocols involved, like ISAKMP, IKE, IPSEC. It was a lot of fun, and it was only the beginning.

Over the years, my depth of understanding grew, transforming me into a senior engineer, not unlike those who nurtured my own curiosity. In addition to learning on the job, I had to dive deep into IPSEC VPNs to prepare for my Cisco certification exams. Even though I was preparing for now-retired certifications like CCNA Security, CCSP, and “VPN Specialist,” IPSEC knowledge is still important to this day.

So, should you learn IPSEC?

IPSEC knowledge is critical for real-world applications and current Cisco certification exams. In fact, it’s listed on the 200-301 CCNA exam topics, which is quite telling since the CCNA certification is the mark of someone who has the foundational knowledge to take their tech career in multiple directions. But that’s not all. IPSEC is on the CCNP Enterprise Core Exam, CCNP Security Core Exam, CCNP Security VPN Specialist, CCIE Enterprise Lab Exam, CCIE Security Lab Exam, and probably others. I didn’t check.

So when honing in on a topic for this month, my first choice was IPSEC VPNs. IPSEC VPNs is a huge topic, though. I knew I couldn’t cover everything in a single short “Technically Speaking…” installment. In fact, I hadn’t decided exactly where to focus until I was in the middle of standing up a new tunnel connection between two of our data centers.

There I was, monitoring the tunnel status to ensure everything was healthy, when I found myself on the CLI of one of the firewalls, running commands I’d run thousands of times: “show crypto isakmp sa” and “show crypto ipsec sa.” As I verified that each security association for the traffic types had come up and was healthy, I reflected on my early days of building VPNs on PIXs running these same commands and not knowing what I was looking at. And that’s when it hit me: this would make an excellent addition to the library.

And here were are. Feel free to use the video above to help you follow what I have outlined below. Alright, adventurers… let’s jump in.

Can’t have a VPN without a couple of sites to connect together…

Before we start looking at the tunnel creation, we need a network to work with.

So, I put together a fairly straightforward 2-site network:

Simple 2-site Network

Site 1 (bottom in the diagram) has two local networks; a YELLOW network and a BLUE network.

Site 2 (top in the diagram) has a single local network, the PURPLE network.

Each site is connected to an untrusted WAN by a firewall.  The firewall is configured like firewalls often are: to perform NAT/PAT on traffic passing from “inside” to “outside.”

Bringing the IPSEC VPN concept into this network, the goal is to create a tunnel between the two firewalls that will allow traffic between the sites to be securely tunneled across the WAN. This would then provide a network path for hosts on Site 1’s YELLOW and BLUE networks to reach the hosts on Site 2’s PURPLE network.

Just to let you know… the focus of this post is NOT on the configuration required to set up the network or the IPSEC tunnel itself. Instead, we will look at the process that happens to establish and build the connections when relevant traffic arrives at the firewall and initiates the IPSEC process.

If you’d like to see the configurations in this setup, I have posted a CML topology file for this network in the CML Community on GitHub. If you’d like to dive deeper and try some of this exploration yourself, download the file and run it on your CML server.

Saying something “interesting”

Just because a VPN is configured on a firewall doesn’t mean the tunnel will be established.

Tunnels are established when they are needed and will eventually be torn down if left idle (without traffic passing through them) for long enough.
A firewall determines what type of traffic should trigger the building of a VPN based on an access list that is associated with the IPSEC crypto map that defines the VPN.

Let’s take a look at the access list on Site1-FW that defines this “interesting traffic.”

Site1-FW# show access-list s2svpn_to_site2
access-list s2svpn_to_site2; 2 elements; name hash: 0xa681e779
access-list s2svpn_to_site2 line 1 extended permit ip object-group SITE1 object-group SITE2 log default (hitcnt=0) 0xb520aee6
access-list s2svpn_to_site2 line 1 extended permit ip log default (hitcnt=0) 0xfab888fb
access-list s2svpn_to_site2 line 1 extended permit ip log default (hitcnt=0) 0xb7b04209
Site1-FW# show run crypto map  YouTube

Use #CiscoU and #CiscoCert to join the conversation.

Read next: Exploring Default Docker Networking [Part 1] by Hank Preston


  Explore the IPSEC VPN tunnel creation process, including “Phase 1” and “Phase 2,” how Security Associations are impacted when ACLs identify “interesting traffic,” and even the packets involved in the communications.  Read More Cisco Blogs