My Journey with the Cisco C881-K9 Router and IPSec VPN Tunnel Configuration

By -

Setting the Stage: The Cisco C881-K9 Router

I wanted to document my experience configuring a Cisco C881-K9 router to set up an IPSec VPN tunnel—not just for myself but also for anyone who might be venturing down this path. Whether you're tackling this for the first time or just need a refresher, I hope this helps.

1. Product Code: C881-K9
2. PoE: 2 port integrated PoE
3. RAM: 256 (default) / 768 MB (Max)
4. Flash Memory: 128 MB
5. Dimensions: 32.5 cm x 24.9 cm x 4.4 cm
6. LAN Interface: 4 x 10Base-T/100Base-TX - RJ-45
7. Management Interface: 1 x console - RJ-45
8. WAN Interface: 1 x 10Base-T/100Base-TX - RJ-45
9. USB: 1 x 4 PIN USB Type A
1. Primary WAN port—FE
2. USB port
3. 4-port 10/100 Ethernet switch
4. Serial port—Console or auxiliary
5. On/Off switch
6. Reset button
7. Power connector
8. Earth ground connection
9. Kensington security slot

Why the Cisco C881-K9?

I’ll admit, I didn’t plan to splurge on high-end networking gear for my tests. So, when I found a used Cisco C881-K9 router on eBay for just 20 CAD, I couldn’t resist. It’s amazing how much value you can get from second-hand gear! The C881-K9 is a reliable workhorse for small to medium setups, and it supports advanced features like IPSec VPN. Plus, it’s perfect for home lab experiments like mine.

Setting the Scene

Here’s the scenario I was working with:

  • Objective: Set up a secure connection between my home network and a remote network using IPSec.
  • Environment:
    • Cisco C881-K9 router at my end.
    • The remote endpoint managed by Infoblox with a DHCP server.
    • Using pre-shared keys for authentication

Getting Started

The first step was to access the router’s CLI. If you’re familiar with Cisco devices, you’ll know this is where all the magic happens.

Step 1: Configuring the VLAN

Basic settings

  • The router's IP address is 192.168.7.5
  • MacBook connected to the Router through ethernet cable has IP address 192.168.7.10
  • 192.168.0.1 is the gateway IP of the SHAW router through which Cisco Router will get internet
  • 192.168.0.37 is the ip address assigned by the SHAW router to the Cisco router.
  • 3.213.79.135 is the NLB public ip address at the other end where the dhcp service is running.
  • The WAN IP of the my SHAW router: 96.55.48.229
  • 192.168.7.1 is the managed DHCP service endpoint.
  • The DHCP service endpoint will assign leases from 192.168.7.0/24 ip address space.

Configure VLAN1

  • configure terminal
  • interface Vlan1
  • ip address 192.168.7.5 255.255.255.0
  • no shutdown
  • exit
  • write memory

Connect a physical port and assign it to the vLAN1

  • configure terminal
  • interface FastEthernet0
  • switchport mode access
  • switchport access vlan 1
  • no shutdown
  • exit
  • write memory

Step 2: Connect Internet on Cisco Router

Connect RJ-45 one end to the SHAW Router and other to the FE WAN interface  (FastEthernet4) of the Cisco router

  • Router(config)# interface FastEthernet4
  • Router(config-if)# ip address dhcp
  • Router(config-if)# no shutdown
  • Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1
  • Router(config)#exit
  • Router#write memory
Router#show ip interface brief FastEthernet4
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet4              192.168.0.37    YES DHCP   up                    up

Router#show dhcp lease Temp IP addr: 192.168.0.37 for peer on Interface: FastEthernet4 Temp sub net mask: 255.255.255.0 DHCP Lease server: 192.168.0.1, state: 5 Bound DHCP transaction id: 1671 Lease: 315360000 secs, Renewal: 157680000 secs, Rebind: 275940000 secs Temp default-gateway addr: 192.168.0.1 Next timer fires after: 5w0d Retry count: 0 Client-ID: cisco-fc5b.3993.f4d0-Fa4 Client-ID hex dump: 636973636F2D666335622E333939332E 663464302D466134 Hostname: EdgeRouter

Step 3: Setup IPSEC Site-to-site VPN

IKEv2 Configuration

Router#show crypto ikev2 proposal HAAS-IKEPROPOSAL
IKEv2 proposal: HAAS-IKEPROPOSAL
    Encryption : AES-CBC-256
    Integrity : SHA256 SHA384 SHA512
    PRF : SHA256 SHA384 SHA512
    DH Group : DH_GROUP_2048_MODP/Group 14

Router#show crypto ikev2 policy HAAS-IKEPOLICY IKEv2 policy : HAAS-IKEPOLICY Match fvrf : any Match address local : any Proposal : HAAS-IKEPROPOSAL

Router#show crypto ikev2 profile HAAS-IKE-PROFILE IKEv2 profile: HAAS-IKE-PROFILE Ref Count: 6 Match criteria: Fvrf: global Local address/interface: none Identities: any Certificate maps: none Local identity: fqdn dpudbeueu4pt1yrs Remote identity: none Local authentication method: pre-share Remote authentication method(s): pre-share EAP options: none Keyring: HAAS-KEYRING Trustpoint(s): none Lifetime: 86400 seconds DPD: disabled NAT-keepalive: disabled Ivrf: none Virtual-template: none mode auto: none AAA AnyConnect EAP authentication mlist: none AAA EAP authentication mlist: none AAA Accounting: none AAA group authorization: none AAA user authorization: none

IPSec Configuration

Router#crypto ipsec transform-set HAAS-IKE-TRANSFORM-SET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile HAAS-IPSEC-PROFILE set security-association lifetime seconds 28800 set security-policy limit 1 set transform-set HAAS-IKE-TRANSFORM-SET set ikev2-profile HAAS-IKE-PROFILE !

Tunnel Interface Configuration

Router(config)#interface tunnel0 Router(config-if)#ip unnumbered FastEthernet4 Router(config-if)#ip mtu 1450 Router(config-if)#ip tcp adjust-mss 1360 Router(config-if)#tunnel source FastEthernet4 Router(config-if)#tunnel destination 3.213.79.135 Router(config-if)#tunnel mode ipsec ipv4 Router(config-if)#tunnel protection ipsec profile HAAS-IPSEC-PROFILE ikev2-profile HAAS-IKE-PROFILE Router(config-if)#exit Router(config)#exit

Verify Tunnel Connectivity

Router#show crypto session brief Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating K - No IKE ivrf = (none) Peer I/F Username Group/Phase1_id Uptime Status 3.213.79.135 Tu0 96.55.48.229.infoblox.co 00:01:30 UA

Router#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN

Interface: Tunnel0
Profile: HAAS-IKE-PROFILE
Uptime: 00:01:36
Session status: UP-ACTIVE
Peer: 3.213.79.135 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 96.55.48.229.infoblox.com
      Desc: (none)
  Session ID: 1
  IKEv2 SA: local 192.168.0.37/4500 remote 3.213.79.135/4500 Active
          Capabilities:DN connid:1 lifetime:23:58:24
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4373968/7 hours, 58 mins
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4373968/7 hours, 58 mins

Router#show crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 192.168.0.37 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 3.213.79.135 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.168.0.37, remote crypto endpt.: 3.213.79.135 plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4 current outbound spi: 0xCA31F0B8(3392270520) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x561EA63E(1444849214) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4373968/28652) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xCA31F0B8(3392270520) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4373968/28652) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas:

# On the ipsec pod:
# ipsec status tibdc2-1
Security Associations (1 up, 0 connecting):
    tibdc2-1[283]: ESTABLISHED 11 minutes ago, 100.113.129.65[96.55.48.229.infoblox.com]...96.55.48.229[dpudbeueu4pt1yrs]
    tibdc2-1{163}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca31f0b8_i 561ea63e_o
    tibdc2-1{163}:   0.0.0.0/0 === 0.0.0.0/0

Step 4: Create Access Lists

Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 111 permit tcp any any eq domain Router(config)#access-list 111 permit udp any any eq domain Router(config)#access-list 111 permit udp any any eq bootps Router(config)#access-list 111 permit icmp any any

Create Route Map and Assign it the Access List

Router(config)#route-map HAAS-ROUTE-MAP permit 111 Router(config-route-map)#match ip address 111 Router(config-route-map)#set interface Tunnel0

Create Static Route

Router(config)#ip route 192.168.7.1 255.255.255.255 Tunnel0 Router(config)#ip name-server 192.168.7.1

Step 5: Testing the Tunnel and Getting the DHCP Lease

Received IP Address 192.168.7.22 from the Managed DHCP endpoint running on the other side of the tunnel.

./dras -i 192.168.7.1 -n 1 -v
------ XID 1 ------

length 304 op = 2 htype = 1 hlen = 6 hops = 1 secs = 0 flags = 0 ciaddr = 0.0.0.0 yiaddr = 192.168.7.22 siaddr = 0.0.0.0 giaddr = 192.168.7.10 chaddr = fb:42:4b:2c:75:83 Packet Type 2: DHCPOFFER Option 1: Length 4 Data: 0xFFFFFF00 Option 3: Length 4 Data: 0xC0A80705 Option 12: Length 34 Data: 0x746573747072656669782D3139322D3136382D372D32322E6472656464792E636F6D Lease Time: 600 DHCP Server ID: 192.168.7.1 ------ XID 1 ------ length 304 op = 2 htype = 1 hlen = 6 hops = 1 secs = 0 flags = 0 ciaddr = 192.168.7.22 yiaddr = 192.168.7.22 siaddr = 0.0.0.0 giaddr = 192.168.7.10 chaddr = fb:42:4b:2c:75:83 Packet Type 5: DHCPACK Option 1: Length 4 Data: 0xFFFFFF00 Option 3: Length 4 Data: 0xC0A80705 Option 12: Length 34 Data: 0x746573747072656669782D3139322D3136382D372D32322E6472656464792E636F6D Lease Time: 600 DHCP Server ID: 192.168.7.1 Test started: Sat Jan 11 19:30:34 2025 Server: 192.168.7.1 Discoveries sent: 1 Offers Received: 1 Requests sent: 1 Informs sent: 0 Acks Received: 1 Naks received: 0 Releases sent: 0 Declines sent: 0 Offer timeouts: 0 ACK Timeouts: 0 Completed: 1 Failed: 0 Errors: 0 Elapsed time: 0.15 secs Offer Latency (Min/Max/Avg): 75.070/75.070/75.070 (ms) Ack Latency (Min/Max/Avg): 77.505/77.505/77.505 (ms) Offers/sec: 6.52 Leases/sec: 6.52 ----------------------------------------- Return value: 0

Why Document This?

I know how frustrating it can be to piece together configurations from scattered resources. By writing this, I’m not just helping future me—I’m hoping it helps you too.

If you’re working on something similar and need help, feel free to reach out. Or, if you’ve got tips or tricks to share, I’d love to hear them!

Comments

Post a Comment