IPSec Protocols ESP and AH:

R1 Public IP Address 1.1.1.1

R1 Private IP Address 192.168.1.1
R1 to R2 IPSec Protocol ESP
R1 to R3 IPSec Protocol AH
R2 Public IP Address 2.2.2.2
R2 Private IP Address 192.168.2.2
R3 Public IP Address 3.3.3.3
R3 Private IP Address 192.168.3.3
Router Images L3-ADVENTERPRISEK9-M-15-.4-2T.bin
ISP to R1 Public IP Address 1.1.1.2
ISP to R2 Public IP Address 2.2.2.1
ISP to R3 Public IP Address 3.3.3.1

R1 Basic Configuration
R1(config)#hostname R1
R1(config)#interface Ethernet0/0
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface Loopback1
R1(config-if)#ip address 192.168.1.1 255.255.255.255
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717

 R2 Basic Configuration
R2(config)#hostname R2
R2(config)#interface Ethernet0/0
R2(config-if)#ip address 2.2.2.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface Loopback2
R2(config-if)#ip address 192.168.2.2 255.255.255.255
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.1

R3 Basic Configuration
R3(config)#hostname R3
R3(config)#interface Ethernet0/0
R3(config-if)#ip address 3.3.3.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface Loopback3
R3(config-if)#ip address 192.168.3.3 255.255.255.255
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 3.3.3.1

ISP Basic Configuration

ISP(config)#hostname ISP
ISP(config)#interface Ethernet0/0
ISP(config-if)#ip address 1.1.1.2 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface Ethernet0/1
ISP(config-if)#ip address 2.2.2.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface Ethernet0/2
ISP(config-if)#ip address 3.3.3.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717

 R1 to R2 Configure IPSec Phase 1 (ISAKMP Policy)
R1(config)#crypto isakmp policy 5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco12 address 2.2.2.2

R1 to R2 Configure IPSec Phase 2 (Transform Set)

R1(config)#crypto ipsec transform-set TSET1 esp-aes 128 esp-md5-hmac
R1(cfg-crypto-trans)# exit
R1(cfg-crypto-trans)#crypto ipsec security-association lifetime seconds 3600

R1 to R2 Configure ACL for Interesting Traffic

R1(config)#ip access-list extended VPNT1
R1(config-ext-nacl)# permit ip host 192.168.1.1 host 192.168.2.2
R1(config-ext-nacl)# exit

R1 to R2 Configure Crypto Map

R1(config)#crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)#match address VPNT1
R1(config-crypto-map)#set peer 2.2.2.2
R1(config-crypto-map)#set transform-set TSET1
R1(config-crypto-map)# exit

Apply Crypto Map to Outgoing Interface of R1

R1(config)#interface Ethernet0/0
R1(config-if)#crypto map CMAP
R1(config-if)#exit

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717

 R1 to R3 Configure IPSec Phase 1 (ISAKMP Policy)
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco13 address 3.3.3.3

R1 to R3 Configure IPSec Phase 2 (Transform Set)

R1(config)# crypto ipsec transform-set TSET2 ah-md5-hmac
R1(cfg-crypto-trans)#crypto ipsec security-association lifetime seconds 3600
R1(cfg-crypto-trans)#exit

R1 to R3 Configure ACL for Interesting Traffic

R1(config)#ip access-list extended VPNT2
R1(config-ext-nacl)# permit ip host 192.168.1.1 host 192.168.3.3
R1(config-ext-nacl)#exit

R1 to R3 Configure Crypto Map

R1(config)#crypto map CMAP 20 ipsec-isakmp
R1(config-crypto-map)#match address VPNT2
R1(config-crypto-map)#set peer 3.3.3.3
R1(config-crypto-map)#set transform-set TSET2
R1(config-crypto-map)#exit

Apply Crypto Map to Outgoing Interface of R1

R1(config)#interface Ethernet0/0
R1(config-if)#crypto map CMAP
R1(config-if)#exit

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717

 R2 to R1 Configure IPSec Phase 1 (ISAKMP Policy)
R2(config)#crypto isakmp policy 5
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#group 2
R2(config-isakmp)#hash sha
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#exit
R2(config)#crypto isakmp key cisco12 address 1.1.1.1

R2 to R1 Configure IPSec Phase 2 (Transform Set)

R2(config)#crypto ipsec transform-set TSET1 esp-aes 128 esp-md5-hmac
R2(cfg-crypto-trans)# exit
R2(cfg-crypto-trans)#crypto ipsec security-association lifetime seconds 3600

R2 to R1 Configure ACL for Interesting Traffic

R2(config)#ip access-list extended VPNT1
R2(config-ext-nacl)# permit ip host 192.168.2.2 host 192.168.1.1
R2(config-ext-nacl)# exit

R2 to R1 Configure Crypto Map

R2(config)#crypto map CMAP 10 ipsec-isakmp
R2(config-crypto-map)#match address VPNT1
R2(config-crypto-map)#set peer 1.1.1.1
R2(config-crypto-map)#set transform-set TSET1
R2(config-crypto-map)# exit

Apply Crypto Map to Outgoing Interface of R2

R2(config)#interface Ethernet0/0
R2(config-if)#crypto map CMAP
R2(config-if)#exit

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717

 R3 to R1 Configure IPSec Phase 1 (ISAKMP Policy)
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#group 2
R3(config-isakmp)#hash sha
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#exit
R3(config)#crypto isakmp key cisco13 address 1.1.1.1

R3 to R1 Configure IPSec Phase 2 (Transform Set)

R3(config)# crypto ipsec transform-set TSET2 ah-md5-hmac
R3(cfg-crypto-trans)#crypto ipsec security-association lifetime seconds 3600
R3(cfg-crypto-trans)#exit

R3 to R1 Configure ACL for Interesting Traffic

R3(config)#ip access-list extended VPNT2
R3(config-ext-nacl)# permit ip host 192.168.3.3 host 192.168.1.1
R3(config-ext-nacl)#exit

R3 to R1 Configure Crypto Map

R3(config)#crypto map CMAP 20 ipsec-isakmp
R3(config-crypto-map)#match address VPNT2
R3(config-crypto-map)#set peer 1.1.1.1
R3(config-crypto-map)#set transform-set TSET2
R3(config-crypto-map)#exit

Apply Crypto Map to Outgoing Interface of R3

R3(config)#interface Ethernet0/0
R3(config-if)#crypto map CMAP
R3(config-if)#exit

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717

Verification and Testing.
To test the VPN connection let’s ping from R1 to R2 & R3 loopback interface.
Verify IPSec Phase 1 Connection
R1#ping 2.2.2.2 source loopback 1
R1#ping 3.3.3.3 source loopback 1
R1# show crypto isakmp key
R1# show crypto isakmp peers
R1# show crypto isakmp policy
R1# show crypto isakmp sa
R1# show crypto session

Verify IPSec Phase 2 Connection

R1# show crypto ipsec sa
R1# show crypto ipsec transform-set
R1# show crypto ipsec security-association
R1# show crypto ipsec spi-lookup

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717
9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717
10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717
11 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717
12 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717
13 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 00966564303717