Platform: https://racks.uninets.com
Lab Name: CCNP Security SIMOS

Task
Configure R1 AS Branch-01 router using 192.168.1.1/24 and 100.0.0.1/24 on 0/1, and create tunnel interface 10, with ip adres 10.0.0.1/24 for tunnel destination of 200.0.0.1
Configure R2 AS Branch 02 router with ip addresses of 200.0.0.1/24 & 172.1.1.1/24 on 1/1, and create tunnel interface 12 using ip address 10.0.0.2/24. Tunnel destination would be 100.0.0.1
Create site-to-site VPN tunnel using gre tunnel 10 or gre tunnel 12, pre shared key [email protected]
Verify tunnels 10-12
Explanation
Site-to-Site IPSec VPN tunnels allow secure data, voice, and video transmissions between two sites (e.g offices and branches). The VPN tunnel is created via the Internet public network and encrypted with a variety of advanced encryption algorithms to protect the confidentiality of data sent between the two sites.
This article will demonstrate how to set up and configure two Cisco routers to create a secure site-tosite VPN tunnel over Internet using the IP Security protocol. This article assumes that both Cisco routers have a static IP address. If you are interested in configuring support to dynamic public IP address endpoint routers, please refer to our Configuring site to site IPSec VPN With Dynamic IP Endpoint Cisco Routers article.
GRE (Generic Route Encapsulation Tunnels) can also be used to configure IPSec VPN tunnels. GRE tunnels simplify the administration and configuration of VPN tunnels. They are covered in our Configuring Point to Point GRE VPN Tunnels article. DMVPNs are a new trend in VPN that offer great flexibility and almost zero administration overhead. You can also read our Understanding Cisco Dynamic MultipointVPN (DMVPN), Dynamic MultipointVPN (DMVPN), Deployment Models and Architectures and Configuring Cisco Dynamic MultipointVPN (DMVPN – Hub, Spokes, m GRE Protection, and Routing – DMVPN Configuration articles.
ISAKMP (Internet Security Association Key Management Protocol) is essential for building and encrypting a VPN tunnel. ISAKMP (also known as IKE) is the negotiation protocol that allows two parties to agree on how to create an IPSec security organization. The ISAKMP negotiation consists in two phases: Phase 1 & Phase 2.
Phase 1 creates the first tunnel that protects later ISAKMP negotiation message messages. Phase 2 is the phase that protects data. IPSec is then used to encrypt data using encryption algorithms. It also provides authentication, encryption, and anti-replay service.
GRE doesn’t have its own encryption mechanism, so it relies on IPSec to do the encryption job. GRE over IPSec encrypts everything that is encapsulated in GRE. IPSec over GRE encrypts the payload only and not the routing protocols.
IPSec over GRE establishes the GRE tunnel over the internet. A neighbor ship is formed, routes are exchanged, and all this is in clear text. We only care about encrypting the traffic between the peers. We use IPSec to encrypt information/payload between peers.
IPSec is superior to GRE because it eliminates the extra overhead of encrypting GRE headers.
Configuration
Configuration on ISP (Sw02)interface Ethernet0/2no switchportip address 100.0.0.2 255.255.255.0No shutdownExitinterface Ethernet0/3no switchportip address 200.0.0.2 255.255.255.0No shutdownend Configuration on Branch-01(R1)interface Ethernet0/0ip address 100.0.0.1 255.255.255.0No shutdownexitinterface Ethernet0/1ip address 192.168.1.1 255.255.255.0No shutdownendConfiguration on Branch-01(R1)ip route 0.0.0.0 0.0