


	More Testimonials >

Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!

Cisco CCNP ISCW Exam Tutorial

An Overview Of The IPSec Site-to-Site VPN Process

By Chris Bryant, CCIE #12933

We're going to go into great detail during your ISCW studies when it comes to each step in creating a site-to-site IPSec VPN, but before we tackle the details, let's take a look at the overall process.

Configuring a site-to-site VPN generally involves five steps.

Process Initialization via "interesting traffic"
IKE Phase 1 (IKE SA negotiation)
IKE Phase 2 (IPSec SA negotiation)
Data Transfer
Tunnel Termination

IPSec doesn't just start working by itself - like ISDN, it requires interesting traffic to be sent by a host. This interesting traffic initializes the IPSec process. Just as we used access lists to define interesting traffic with ISDN, a crypto access-list will define interesting traffic for our VPN. (It's nowhere near as complicated as it may sound, and we'll configure one later in the course.)

IPSec Interesting Traffic

The routers will now enter IKE Phase 1. Assuming we're running Main mode, there will be six messages overall. The initiator will first transmit proposals for the encryption and authentication schemes to be used. At this point, IKE's looking for an ISAKMP policy that's a match at both endpoints.

IPSec Main Mode Step 1

In the second exchange of IKE Phase I, the devices will exchange Diffie-Hellman public keys; from this point on, the rest of the negotiation is encrypted.

Diffie-Hellman Public Key Exchange

The initiator and recipient authenticate each other in the third exchange of Phase 1, using an encrypted form of their IP addresses. The IKE SA is then established and Phase 2 can begin.

IPSec Main Mode Step Three

If we had chosen to run IKE in Aggressive Mode, this would have been a three-message process.

The initiator packages everything needed for the SA negotiation in the first message, including its Diffie-Hellman public key.

The recipient responds with the acceptable parameters, authentication information, and its Diffie-Hellman public key.

The initiator then sends a confirmation that it received that information, and we're done!

Aggressive Mode

IKE Phase 2 has one mode, Quick mode. This is also a three-message process. The initiator proposes parameters for the IPSec SA, the recipient responds with a list of acceptable parameters, and the initiator then transmits a message that lets the responder know that message 2 was received and processed. This message is called proof of liveness.

If you're thinking that there's more to the process than this overview - you're right! Configuring VPNs at the command line is demanding, and using the Cisco Security Device Manager (SDM) can be tricky as well.

You'll learn how to do both when you purchase and download your copy of my ISCW Study Package or The Ultimate CCNP Study Package Bundle, which covers all four CCNP exams!