Site-to-Site VPN Lab using the Cisco 5921 Embedded Services Router
This configuration is used with “Introduction to the Cisco 5921 Embedded Services Router v1” in dCloud.
1) Log into dCloud. Under Internet of Everything or Training, find the lab / demo, "Introduction to the Cisco 5921 Embedded Services Router v1”
2) Launch a dCloud session using this lab and follow the instructions to connect using the AnyConnect client. Do the actual AnyConnect access after step 4 as this will allow time for the dCloud session to start. Please be sure to specify "NOW" as the launch time. This lab takes approximately 5 minutes to be ready for use.
3) Begin by looking at the configuration view links for the intended changes to the router configurations to implement the desired feature. The changes are differentiated from the rest of the configuration using Boldface Orange text.
Cisco dCloud lab - CONFIGURING SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS - c5921_ubuntu32_1 - View
Cisco dCloud lab - CONFIGURING SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS - c5921_ubuntu32_2 - View
This lab was derived from a third party Internet based article, “Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers,”
by Rahul Singh, a Cisco CCIE Security certified Engineer (#29110) and an active member of the Firewall.cx community. For an in depth technical discussion please visit the site below to read this article.
4) Go to the following DevNet Community links and download the configurations to be used in this lab. Please use the download links for this.
Cisco dCloud lab - CONFIGURING SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS - c5921_ubuntu32_1 - Download
Cisco dCloud lab - CONFIGURING SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS - c5921_ubuntu32_2 - Download
5) On both of the working routers, c5921_ubuntu32_1 and c5921_ubuntu32_2, shutdown the following ports: ethernet 0/1, 0/2, 0/3.
6) For router c5921_ubuntu32_2, enable 50 Mbps throughput.
7) Please enable the following debugs on router 1:
· debug crypto isakmp—Displays messages about Internet Key Exchange (IKE) events.
· debug crypto ipsec—Displays IPsec events.
· debug crypto engine—Displays crypto engine events.
8) Please add the highlighted commands in the configuration. Besides the crypto commands, we will be making a minor change to the routing to accommodate the addition of two other loopback interfaces. (We can highlight the differences. I need to add highlighting to the View links.)
9) Execute the following ping command on router 2 to generate interesting packets to launch the encrypted session:
ping 10.1.1.1 source loop 1
10) To verify the VPN Tunnel, use the "show crypto session" command.
11) To get additional session detail, you may use the following commands:
· show crypto isakmp sa detail—Displays the IKE SAs, which have been set-up between the IPsec initiators. For example, the spoke router and the VPN Client, and the hub router.
· show crypto ipsec sa—Displays the IPsec SAs, which have been set-up between the IPsec initiators. For example, the spoke router and the VPN Client, and the hub router.
12) Compare your results to the output shown after the configuration in each DevNet document.
This lab allowed you to verify a Cisco IOS feature described in a third party Internet article.
It introduced you to the DevNet community for IoT Embedded and specifically showed that there is a space to share and to post useful 5921 configurations and other companion code.
dCloud allowed you to launch in a few minutes what would take hours to build in your own lab.