IPSec VPN between RUT and CISCO

Internet Protocol Security (IPsec) is a secure network protocol suite of IPv4 that authenticates and encrypts data packets sent over an IPv4 network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiating cryptographic keys to be used during the session. IPsec can protect data flows between a pair of hosts (host to host), a pair of security gateways (network to network), or between a security gateway and a host (network to host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data source authentication, data integrity, data confidentiality (encryption), and replay protection.

You can see the topology of the configuration we will create below;

RUT Configuration

1-Connect to the device's WebUI, go to Services > VPN > IPsec. Enter a name for your IPsec instance, click ADD, and click Edit when it appears in the IPsec Configuration area.

2-Apply the following configuration to the device.

1. Activate the example.
2. Set your device's own IP (device identifier for IPsec tunnel).
3. Type the local IP address/Subnet mask (an IP address/Subnet mask of the router on which the IPsec instance is configured).
4. Add remote VPN endpoint (Cisco EXTERNAL IP address).
5. Local IP of the remote device
6. Type the remote IP address/Subnet mask (LAN IP address/Subnet mask of the Cisco device).
7. The next step in configuring the IPsec instance is Phase settings. For this example, we left the default RUT Phase 1 and Phase 2 settings.

When you complete the configuration, click on the Save button and then you will be redirected to the IPsec window where you need to configure the Pre-shared key.

• Press the Add button.
• Type the pre-shared key (a shared password used for authentication between peers. The value of this field must match in both cases).
• The Lan IP of the Remote Cisco Device is added to the Secret's ID Selector section.
• Press Save.

CISCO Configuration

Connect to the router's WebUI, go to VPN > IPsec Profiles, and apply the configuration below.

• Add Profile Name (anything you want).
• Select Switching Mode (Automatic).
• Select the IKE version (IKEv1).
• Select DH Group (Group 5).
• Select Encryption (3DES).
• Select Authentication (SHA1).
• Set SA Life (28800).
• Select the protocol in Protocol Selection (ESP).
• Select Encryption (3DES).
• Select Authentication (SHA1).
• Set SA Life (28800).
• Enable Perfect Forward Privacy.
• Select Group: Group (5).

When you are done with IPsec Profiles, save the settings, go to SitetoSite settings and apply the following configuration:

• Activate.
• Select IPsec Profile (RUT).
• Set the interface (your internet source).
• 4.Select Remote Endpoint (static IP).
• Type RUT Public IP.
• 5.Add Pre-Shared Key (a shared password used for authentication between peers. The value of this field must match in both cases).
• Disable Minimum Key complexity.
• Select Local Identifier Type (IP Address).
• Type Local Identifier (Cisco LAN IP address).
• Select Local IP Type (Subnet).
• Type the IP Address (Cisco local network).
• Add Subnet Mask (netmask).
• Select Remote Identifier Type (Remote WAN IP).
• Write Remote Identifier (RUT LAN IP).
• Select Remote IP Type (Subnet).
• Add IP Address (RUT local network).
• Add Subnet Mask (RUT local network mask).

Testing the configuration;

To test an IPsec connection, log in to the RUT WebUI and go to Services → CLI. Log in with the username: root and the administrator password of the router. From there, you should be able to ping the LAN IP address of the opposite instance. To use a ping command, type ping and press the “Enter” key on your keyboard;