This tutorial is to create and test a VPN Using Cisco Packet Tracer. This is tested in Packet Tracer Version 5.3. The latest CISCO Packet Tracer version may differ in some aspects.
Steps to create VPN Using Cisco Packet Tracer 5.3
The following steps include project creation, configuring two routers (Router0 and Router1) to set up VPN between them, and then testing VPN connection by sending message packets from PC0 to PC1.
Setup New VPN Project in CISCO Packet Tracer
At the start, you have to create a new project in packet tracer as shown in the screenshot. Attach two PC (PC0 and PC1) to switches and then connect them by placing two 2811 routers in between links.
Setup device IP address as follows
- PC0 – 10.0.0.2 attched to Router0 –10.0.0.1 via 2960-24TT Switch0
- PC1 – 12.0.0.2 attched to Router0 –12.0.0.1 via 2960-24TT Switch0
- Router0 – 11.0.0.1 attched to Router1 –11.0.0.2 via Direct WAN link.
You can also download a ready-made template exactly as following [VPN.pkt].
Configure Router1
Configure Router1 using the following commands in the CLI environment.
Enable IPsec
Router(config)#crypto isakmp enableSet new policy with number 1
Router(config)#crypto isakmp policy 1 Use shared key authentication method (if using certification use RSA-sig instead of pre-share)
Router(config-isakmp)#authentication pre-share Use symmetric encryption AES
Router(config-isakmp)#encryption aes Use hash algorithm SHA for data integrity
Router(config-isakmp)#hash sha Use Diffie hellman group 2
Router(config-isakmp)#group 2
Router(config-isakmp)#exit0 is the key that will be used with the next site, next site IP address 11.0.0.1, and note on packet tracer you use 0.0.0.0 instead of subnet mask
Router(config)#crypto isakmp key 0 address 11.0.0.1 0.0.0.0 Set transform-set called Yasser and esp is the protocol that will be used, you can use AH on an internal VPN
Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac Key expire after 86400 seconds
Router(config)#crypto ipsec security-association lifetime seconds 86400 ACL called Ramzy to tell which traffic will use the VPN tunnel
Router(config)#ip access-list extended ramzy
Router(config-ext-nacl)#permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Router(config-ext-nacl)#exitCreate a crypto map called auda with seq number 100
Router(config)#crypto map auda 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.Link above ACL to this crypto map
Router(config-crypto-map)#match address ramzy Link the next site IP address to this crypto map
Router(config-crypto-map)#set peer 11.0.0.1 Link DH group 2 to this crypto map
Router(config-crypto-map)#set pfs group2 Link above transform set to this crypto map
Router(config-crypto-map)#set transform-set yasser
Router(config-crypto-map)#exApply crypto map auda to interface face the next site link.
Router(config)#int fa 0/1
Router(config-if)#crypto map auda
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#do wr
Building configuration…[OK]
Router(config-if)#^Z
Router#Configure Router0
Configure Router0 using the following commands in the CLI environment.
Router(config)#crypto isakmp enable
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption aes
Router(config-isakmp)#group 2
Router(config-isakmp)#hash sha
Router(config-isakmp)#exit
Router(config)#crypto isakmp key 0 address 11.0.0.2 0.0.0.0
Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac
Router(config)#crypto ipsec security-association lifetime seconds 86400
Router(config)#ip access-list extended ramzy
Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 12.0.0.0 0.255.255.255
Router(config-ext-nacl)#exit
Router(config)#crypto map auda 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)#match address ramzy
Router(config-crypto-map)#set peer 11.0.0.2
Router(config-crypto-map)#set pfs group2
Router(config-crypto-map)#set transform-set yasser
Router(config-crypto-map)#exit
Router(config)#interface fastEthernet 0/1
Router(config-if)#crypto map auda
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#exit
Router(config)#do wr
Building configuration…
[OK]
Router(config)# Test VPN Connection in CISCO Packet Tracer
To test the VPN connection send a packet from PC0 to PC1 as shown in the following figure. Don’t worry message delivery will get failed because there are no IP entries on the routing table.
Now send a packet from PC1 to PC0 & PC1 to PC0 as shown in the following figure.
This time routing table is created and it contains routing info. So, this time message delivery will be successful.
Now you can try the following commands to test VPN on the router.
Router#show crypto Isakmp policy
Router#show crypto isakmp sa
Router#show crypto map
Router#show crypto ipsec sa 
