An IPsec VPN Lab Exercise

The following lab exercise is how to create an IPsec VPN.

We originally created this lab as part of one of our courses, and we hope you find it useful.


Lab Preparation

This lab is designed to help you learn the basics of IPSec VPN’s and how Service Providers uses IPSec to provide VPN services to their OFF Network customers. Those who dial-in to an ISP, other than the Service Provider, as well those who my have a dedicated connection to another ISP using  xDSL or a T-1 type of connection.

Because of the limited equipment we have in the LAB we will not be able to demonstrate all of these functions.

Student Objectives

After completing this lab, you will be able to do the following:

§  Explain the behaviour of IPSec and how it provides security over the Internet for users that are not directly connected to Service Provider

§  Configure IPSec on the routers and understand how it works.

§  Explain how Session Associations are established and maintained between IPSec peers.

§  Utilize the proper router commands to determine that an IPSec session has been established and how to debug a session if it is not working correctly.



Basic IPSec Set Up Lab Topology










IPsec Configuration – Part 1

Using the Network Configuration on the previous page, the first step in this lab is for the students to be divided into teams.  The teams will work together to properly configure our entire lab network.  Please refer to the chart below as to what part of the lab you are responsible for.

NOTE: Teams 1, 2, 3 and 5 should be sure and save your present router configurations. At end of this LAB you will need to restore it to the present configuration so that you can continue with the MPLS sessions.

Team Number



PE-1 & CE-1


PE-2 & CE-3


PE-3 & CE-2


PE-4 & CE-5


PE-5 & CE-4


IKE/ISAKMP Configuration Steps

To configure IKE we will perform the following steps:

A.   Enable IKE

B.   Ensure access lists are compatible with IKE

C.   Create IKE policies

D.   Configure pre-hared Keys

E.   Clear IKE connections

F.    Troubleshoot IKE

Perform the following steps on the routers in the network that require IKE configuration:


1. Enable IKE

Router(config)# crypto isakmp enable

Just in case it is not enabled – typically it is enabled by default

2. Ensure that Access Lists are Compatible with IKE: (Note: make sure they do not block UDP port 500 or IP port 50 and 51)

Router#show access-lists

3. Configure the isakmp policy.  Keep in mind you can have multiple policies. The lowest number will be searched first. When a match is made the search stops, and the match is performed.

A.   Create the crypto policy

Router(config)#crypto isakmp policy <priority> ( priority = 1 to 10,000: 1 is the highest priority)

B.   Specify the encryption algorithm

Router(config-isakmp)#encryption {des | 3des}

NOTE: because the 2500’s only support des, this is the one to use, although 3des is what Service Provider will use.

C.   Specify the hash algorithm.  Be sure to use the same on both ends. For the LAB we will use md5.

Router(config-isakmp)#hash {sha |md5}

D.   Specify one of the authentication methods.  We will use pre-share for the lab:

Router(config-isakmp)#authentication {rsa-sig | rsa-encr | pre-share}

E.   Define Diffe-Hillman group ID: 1 = 768-bit, 2 = 1024-bit

Router(config-isakmp)#group {1 | 2}

F.    Specify the security associations lifetime in seconds.

Router(config-isakmp)#lifetime <seconds>(default 86,400 or 1 day. )

G.   Exit

Configuring pre-shared Keys on both routers.

1.    First, set each peer’s ISAKMP identity. You should set each peer’s identity to either its host name or its IP address. By default, the IOS sets a peer’s identity to its IP address.

2.    Next, specify the shared keys at each peer. Note that two peers share a given pre-shared key. At a given peer you could specify the same key to share with multiple remote peers; however, a more secure approach is to specify different keys to share between different pairs of peers.

Router(config)#crypto isakmp key <keystring> [address peer­address | hostname peer­hostname]

NOTE: Make sure that both ends use the same approach, i.e. address or host-name. It is best to use the IP address. (May assign up to eight address)

Also the keystringneeds to be the same on both of the peer routers in the LAB.


Clearing IKE Connections

1.    router# show crypto isakmp sa

This command allows you to view existing IKE’ connections so that you can note the connection identifiers for the connections you wish to clear.

2.  router(config)#clear crypto isakmp [connection-id]


CAUTION: If you do not use the connection-id keyword, the router will clear all existing connections, even those that are active VPN sessions. The connection-id has a value from 0 to 299.




Troubleshooting IKE


router# show crypto key mypubkey rsa

router# show crypto key pubkey-chain rsa [name key-name | address key-address]


router# show crypto ca certificates


router# show crypto isakmp policy


router# show crypto isakmp sa


router# debug crypto isakmp





Please wait here until all other teams are ready to proceed to Part 2.



IPSec – Part 2

The following basic steps will be followed to complete the configuration of IPsec:

A.   Create crypto access lists

B.   Define transform sets

C.   Create crypto map entries

D.   Apply crypto map sets to interfaces

E.   Monitor and maintaining IPSec



1.    Set global Lifetimes for IPSec Security Associations

router#crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

2.    You can clear the SA’s  to help reset them, by using the following commands.  See WARNING below!

a.   router#clear crypto sa

b.   router#clear crypto sa peer {ip-address | peer-name}

c. router#clear crypto sa map map-name

d. router#clear crypto sa spi destination-address protocol spi

Warning: using the clear crypto sa command without a parameter will clear out the full SA database, which will clear out all active security sessions and will cause interruption to those using a session.

Creating Crypto Access Lists

First, some notes:

  • Select outbound traffic for IPSec protection (permit = Protect)
  • Indicate the data flow for protection by the new security associations
  • Process inbound traffic in order to filter out and discard traffic that should have been protected by IPSec.
  • Determine whether or not to accept requests for IPSec SA on behalf of the requested data flows.

1.    Numbered extended access list – access-list-number = 100 to 199

Router#access-list access-list-number (deny | permit} protocol source source-widcard destination destination-wildcard [precedence precedence] [tos tos] [log]

2.    Named access list – preferred

Router# ip access-list extended name

NOTE: use a mirror image of the access list on the peer router.

Defining Transform Sets

1.    Router(config)#crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3]

Transforms =: (use the same on both ends)



esp-des and esp-md5-hmac

ah-sha-hmac and esp-des and esp-sha-hmac

ah-rfc1828 and esp-rfc1829


Router(config)#crypto ipsec transform-set myset esp-des ah-sha-hmac esp-md5-hmac

2.    router(config)#mode {tunnel | transport}



Creating Crypto Map Entries

Create Crypto Maps to establish Manual SA’s.

For reference only – not used in the lab

1.    Define the crypto map to use. The sequence number is between 0 to 65,535

Router(config)#crypto map map-name seq-numbner ipsec-manual

2.    Specify the access list to use

Router(config-crypto-map)#match address [access-list-id | name]

3.    Specify the remote IPSec peer

Router(config_crypto-map)#set peer {hosthame | ip-address}

4.    Specify transform set to use

Router(config-crypto-map)# set transform-set transform-set-name

5.    Set the session keys

Router(config-crypto-map)#set session-key {inbound | outbound} ah spi hex-key-data

Create Crypto Maps that Use IKE to establish SA’s.

This is the one we will use in the lab.

1.    Define the crypto map to use. The sequence number is between 0 to 65,535

Router(confg)#crypto map map-name seq-number ipsec-isakmp

2.    Specify the access list to use

Router(config-crypto-map)#match address [access-list-id | name]

3.    Specify the remote IPSec peer

Router(config_crypto-map)#set peer {hosthame | ip-address}

4.    Specify transform set to use

Router(config-crypto-map)# set transform-set transform-set-name1 [transform-set-name2… transform-set-name6]

NOTE: list multiple transform set in order or priority, highest priority first.

5.    Specify the SA lifetime for the Crypto map

Router(config-crypto-map)#set security-association lifetime seconds seconds


Router(config-crypto-map)#set security-association lifetime kilobytes kilobytes


NOTE: seconds from 120 to 86,400 or KB 2560 to 536,870,912KB

6.    Specify that the router establish separate SAs for each source and destination host-pair. Use with CAUTION. It can quickly overload the router if there are many SA established. (optional)

Router(config-crypto-map)# set security-association level per-host

7.    Specify if IPSec should ask for Perfect Forward Secrecy (PFS) when requesting new SAs. (Optional)

Router(config-crypto-map)# set pfs [group1 | group2]


Creating Dynamic Crypto Maps

For reference only – not used in the lab

1.    To create a dynamic crypto map do:

Router(config)#crypto dynamic-map dynamic-map-name dynamic-seq-num

2.    Specify the transform set to use

Router(config-crypto-map)# set transform-set transofm-set-name1 [transform-set-name2.. transform-set-name6]

3.    Assign the extended access list

Router(config-crypto-map)#match address [access-list-id | name]

4.    Specify the remote IPSec peer

Router(config-crypto-map)# set peer {host | ip-address}

5.    Specify the lifetime for the key

Router(config-crypto-map)# set security-association lifetime seconds seconds


Router(config-crypto-map)# set security-association lifetime kilobytes kilobytes

6.    Specify if IPSec should ask for Perfect Forward Secrecy (PFS) when requesting new SAs. (Optional)

Router(config-crypto-map)# set pfs [group1 | group2]

7.    Adding a Dynamic crypto Map to a Static Crypto Map set

Router(config)#crypto map man-name seq-number ipsec-isakmp synamic dynamic-map-name

8.    Applying crypto Map set to Interfaces

Router(config-if)#crypto map map-name



Monitoring and Maintaining IPSec

Begin an extended ping from one router to its peer and then on the outer router issue:

Router#show crypto ipsec sa [map map-name | address | identity] [detail]

You should be able to see the encrypted/decrypted traffic increase each time you re-issue the command. This validates that the traffic you are generating is being sent across the connection in the encrypted format.

Other commands you may want to use to trouble shoot IPSec connections:

Clear crypto sa

Clear crypto sa peer {ip-address | peer-name}

Clear crypto sa map map-name

Clear crypto sa spi destination-address protocol spi

Clear crypto sa counters

Show crypto ipsec transform-set [tag transform-set-name]

Show crypto map [interface interface | tag map-name]

Show crypto dynamic-map [tag map-name]

Show crypto ipsec security-association


Lab Summary

In this lab you have learned how IKE is used to establish Security Associations that IPSec uses to transfer encrypted information over an other wise clear connection.


 I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome! 


Leave a Comment

Contact Us Here

Please verify.
Validation complete :)
Validation failed :(
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top