IPSec VPNs are the backbone of secure site-to-site and remote-access connectivity across untrusted networks like the Internet. For the CCNA 200-301 exam, understanding IPSec is critical under Exam Objective 5.7 (Security Fundamentals) because it tests your ability to configure and troubleshoot VPN tunnels that protect enterprise data in transit. Real network engineers deploy IPSec daily to connect branch offices, enable teleworker access, and secure cloud connectivity.
Jump to a section
Imagine you are a logistics manager who needs to ship a high-value cargo (an IP packet) from one warehouse (Site A) to another (Site B) through a dangerous open highway (the Internet). You cannot just send the cargo unprotected—it would be stolen or tampered with. So you hire an armored convoy service (IPSec). First, the convoy dispatcher (IKE Phase 1) establishes a secure radio channel between the two warehouses by exchanging pre-shared keys and negotiating protection suites (encryption algorithm, hash algorithm, Diffie-Hellman group). This creates a secure management tunnel (ISAKMP SA). Next, the dispatcher negotiates the specific rules for the cargo itself (IKE Phase 2): what encryption (AES-256), what integrity check (SHA-256), and how often to re-key (3600 seconds). This creates a data tunnel (IPSec SA) with two unidirectional security associations. Now, when a cargo truck (the original IP packet) arrives at the first warehouse, the crew wraps the entire truck in a steel container (tunnel mode) or just seals its cargo box (transport mode), then encrypts the container and adds a new outer shipping label (new IP header) addressed to the second warehouse. The convoy drives across the highway—anyone intercepting sees only an encrypted container, not the original truck. At the second warehouse, the crew unwraps, decrypts, and verifies integrity before releasing the original cargo. If the convoy is attacked or the encryption keys expire, the entire process must restart—the SAs are deleted and renegotiated.
What is IPSec and Why Does It Exist?
IPSec (IP Security) is a suite of protocols that provides confidentiality, integrity, authentication, and anti-replay protection for IP packets. It operates at Layer 3 of the OSI model, meaning it can protect any traffic that uses IP—TCP, UDP, ICMP, etc. Unlike SSL/TLS which only protects specific applications (like web or email), IPSec secures all traffic between two endpoints, making it ideal for site-to-site VPNs connecting entire networks.
The core problem IPSec solves is that the Internet is inherently insecure. Packets traverse multiple routers and links where they can be intercepted, modified, or replayed. IPSec ensures that even if a packet is captured, it cannot be read (encryption), altered (integrity), or replayed (anti-replay window).
IPSec Components: IKE, ESP, AH, and SA
IPSec has two main security protocols: - ESP (Encapsulating Security Payload): Provides encryption, integrity, authentication, and anti-replay. It is the most commonly used protocol. ESP can operate in transport mode (protects only the payload) or tunnel mode (protects the entire original packet). - AH (Authentication Header): Provides integrity and authentication but NOT encryption. It is rarely used because it does not provide confidentiality and has issues with NAT traversal.
The security associations (SAs) are the contracts that define how two peers protect their traffic. An SA is unidirectional—two SAs are needed for bidirectional communication. Each SA is identified by a Security Parameter Index (SPI) and contains parameters like encryption algorithm, hash algorithm, lifetime, and keys.
IKE (Internet Key Exchange)
IKE is the protocol used to establish and manage SAs. It operates in two phases: - IKE Phase 1: Creates a secure, authenticated tunnel (ISAKMP SA) used to protect IKE Phase 2 negotiations. Phase 1 can use Main Mode (6 messages) or Aggressive Mode (3 messages, less secure). The peers authenticate using pre-shared keys, digital certificates, or other methods. They also negotiate the IKE policy (encryption, hash, DH group, lifetime). Default lifetime is 86400 seconds (1 day). - IKE Phase 2: Uses the secure Phase 1 tunnel to negotiate the IPSec SAs (one for each direction). This phase uses Quick Mode (3 messages). It negotiates the transform set (ESP/AH, encryption, hash, mode) and the traffic selectors (interesting traffic defined by ACLs). Default lifetime is 3600 seconds (1 hour).
Tunnel Mode vs. Transport Mode
Transport Mode: Only the payload of the original IP packet is encrypted/authenticated. The original IP header is preserved. Used for host-to-host VPNs (e.g., remote access with a client).
Tunnel Mode: The entire original IP packet is encapsulated in a new IP packet with a new header. The original header is encrypted. Used for site-to-site VPNs between gateways.
How IPSec Works Step by Step
Interesting Traffic: A packet matches an ACL that defines traffic to be protected. The router checks its IPSec SA database for a matching SA. If none exists, it triggers IKE.
IKE Phase 1: The routers negotiate and establish an ISAKMP SA. They exchange DH public keys to generate a shared secret, authenticate each other, and derive keys for the Phase 1 tunnel.
IKE Phase 2: Using the secure Phase 1 tunnel, they negotiate the IPSec SAs. This includes the transform set (e.g., esp-aes 256 esp-sha-hmac) and the traffic selectors.
Data Protection: The original packet is encrypted and/or authenticated according to the SA. A new IP header is added (tunnel mode) and the packet is sent to the peer.
Reception: The peer receives the packet, uses the SPI to find the matching SA, decrypts and verifies integrity, then forwards the original packet to its destination.
SA Expiry: When the SA lifetime expires, the SAs are deleted. New SAs must be negotiated (IKE Phase 2 again) before more traffic can be sent.
Key Defaults and Values
IKE Phase 1 lifetime: 86400 seconds (24 hours)
IKE Phase 2 (IPSec) lifetime: 3600 seconds (1 hour)
Diffie-Hellman groups: Group 1 (768-bit), Group 2 (1024-bit), Group 5 (1536-bit), Group 14 (2048-bit), Group 19 (256-bit ECDH), Group 20 (384-bit ECDH)
Encryption algorithms: DES (56-bit), 3DES (168-bit), AES-128, AES-192, AES-256, AES-GCM
Hash algorithms: MD5 (128-bit), SHA-1 (160-bit), SHA-256, SHA-384, SHA-512
Anti-replay window: default 64 packets (configurable up to 1024)
IOS CLI Verification Commands
To verify IPSec VPN status on a Cisco router, use the following commands:
show crypto isakmp saExample output:
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.1 10.2.2.2 QM_IDLE 1001 0 ACTIVEstate: QM_IDLE means IKE Phase 2 is complete and SAs are idle (ready). Other states: MM_NO_STATE, MM_SA_SETUP, MM_KEY_EXCH, MM_AUTH.
status: ACTIVE means the SA is up.
show crypto ipsec saExample output:
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
current_peer 10.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100
#pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x12345678(305419896)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x87654321(2271560481)
transform: esp-aes 256 esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4608000/2879)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound esp sas:
spi: 0x12345678(305419896)
transform: esp-aes 256 esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4608000/2879)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVEKey fields:
- #pkts encaps/encrypt/digest: number of packets sent through the VPN
- #pkts decaps/decrypt/verify: number received
- inbound esp sas and outbound esp sas: show the two unidirectional SAs
- sa timing: remaining lifetime in kilobytes and seconds
- transform: the encryption and hash algorithms
- Status: ACTIVE if SA is up
show crypto ipsec transform-setShows configured transform sets.
show crypto mapShows crypto map configuration and which interface it is applied to.
Interaction with Related Protocols
NAT Traversal (NAT-T): When IPSec packets traverse a NAT device, the NAT changes the IP address, breaking AH integrity and causing issues with ESP. NAT-T encapsulates IPSec packets in UDP port 4500 to avoid this. It is automatically negotiated when both peers support it.
Routing: IPSec does not route the original packets; it encrypts them and sends them to the peer. The peer then decrypts and routes the original packet. Static routes or dynamic routing protocols (like OSPF over the VPN) are needed to direct traffic into the tunnel.
ACLs: Crypto ACLs define interesting traffic. They must be mirrored on both sides (source/destination swapped).
Dead Peer Detection (DPD): A keepalive mechanism that detects if the remote peer is unreachable. If DPD fails, the SAs are cleared.
Troubleshooting Common Issues
Mismatched IKE policies: Use debug crypto isakmp to see negotiation failures.
Mismatched transform sets: Use debug crypto ipsec to see Phase 2 failures.
ACL mismatch: Ensure crypto ACLs are mirrored. Use show crypto ipsec sa to see if packets are being dropped (e.g., #pkts not encrypted).
Route problem: Ensure traffic destined for the remote network is routed to the correct interface (the one with the crypto map).
Configure IKE Phase 1 Policy
First, define the IKE policy that will be used for the ISAKMP SA. Use `crypto isakmp policy <priority>` to enter policy configuration mode. Set the encryption algorithm (e.g., `encryption aes 256`), hash algorithm (e.g., `hash sha256`), authentication method (e.g., `authentication pre-share`), Diffie-Hellman group (e.g., `group 14`), and lifetime (e.g., `lifetime 86400`). The lower the priority number, the higher the preference. The peer must have a matching policy. Then configure the pre-shared key with `crypto isakmp key <key> address <peer-ip>`.
Define the Transform Set
A transform set defines the IPSec encryption and integrity algorithms for Phase 2. Use `crypto ipsec transform-set <name> <transform1> <transform2> ...`. For example: `crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac`. You can specify tunnel or transport mode with `mode tunnel` (default) or `mode transport`. The transform set must match on both peers.
Create the Crypto ACL
The crypto ACL defines which traffic should be encrypted (interesting traffic). Use a standard or extended ACL. For site-to-site VPN, the ACL typically permits traffic from the local LAN to the remote LAN. For example: `access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255`. The ACL on the remote peer must be the mirror image: permit from 10.2.2.0/24 to 10.1.1.0/24.
Create and Apply the Crypto Map
A crypto map ties together the transform set, peer address, and ACL. Use `crypto map <map-name> <seq-num> ipsec-isakmp`. Then specify the peer with `set peer <ip-address>`, the transform set with `set transform-set <name>`, and the ACL with `match address <acl-number>`. Optionally set PFS with `set pfs group14`. Then apply the crypto map to the outgoing interface: `interface GigabitEthernet0/0` then `crypto map <map-name>`.
Verify Tunnel Status
After configuration, verify the tunnel is up. Use `show crypto isakmp sa` to check Phase 1 status (should show QM_IDLE and ACTIVE). Use `show crypto ipsec sa` to see Phase 2 SAs. Look for `#pkts encaps` and `#pkts decaps` to confirm traffic is being encrypted and decrypted. If the SAs are not up, use `debug crypto isakmp` and `debug crypto ipsec` to identify mismatches.
Test Connectivity and Monitor
Generate interesting traffic (e.g., ping from a host on the local LAN to a host on the remote LAN). Use `show crypto ipsec sa` to see packet counters increment. Check for errors like `#recv errors`. If the tunnel drops, check DPD settings (`crypto isakmp keepalive <seconds> <retries>`) or adjust lifetimes. Monitor with SNMP or logging for production environments.
In enterprise networks, IPSec VPNs are deployed in several common scenarios:
1. Site-to-Site VPN between Branch and Headquarters: A company with a main office (10.1.0.0/16) and multiple branch offices (each with a /24 subnet) uses IPSec tunnel mode over the Internet. Each branch router has a crypto map pointing to the HQ router's public IP. The crypto ACL permits traffic between the branch LAN and the HQ LAN. This replaces expensive leased lines. Performance considerations: encryption/decryption is CPU-intensive; for high throughput, use hardware crypto acceleration (e.g., Cisco routers with onboard crypto engine) or dedicated VPN appliances. Misconfiguration: if the ACLs are not mirrored, traffic may be dropped or sent in the clear (if the ACL is too permissive).
2. Remote Access VPN with IPSec Client: Teleworkers use a software client (e.g., Cisco AnyConnect) to connect to the corporate network. The client initiates IKE with the head-end router/firewall. The head-end uses a crypto map with dynamic peers (no fixed peer IP). The client's traffic is encrypted and tunneled to the head-end, which decrypts and forwards to internal resources. Common issues: NAT traversal problems if the client is behind a home router that does not support IPSec passthrough; using UDP 4500 (NAT-T) solves this. Authentication is often via digital certificates or RADIUS.
3. DMVPN (Dynamic Multipoint VPN): For large-scale hub-and-spoke or spoke-to-spoke VPNs, DMVPN combines IPSec with mGRE (multipoint GRE) and NHRP. The hub has a single crypto map, and spokes register their public IPs with the hub via NHRP. Spokes can build direct IPSec tunnels between each other (spoke-to-spoke) without going through the hub, reducing latency. This is common in large retail or banking networks. Misconfiguration: incorrect NHRP settings or missing route injection can cause traffic to be dropped.
In all scenarios, network engineers must consider: (1) MTU issues—IPSec adds overhead (up to 58 bytes per packet), which may cause fragmentation; adjust TCP MSS or set the DF bit appropriately. (2) Routing—static routes pointing to the tunnel interface or dynamic routing over the VPN (e.g., OSPF over GRE over IPSec). (3) Monitoring—using SNMP to track SA counts, packet drops, and CPU load. (4) Redundancy—using multiple peers or backup crypto maps with different priorities.
For CCNA 200-301, Exam Objective 5.7 covers "Configure and verify site-to-site IPSec VPN". The exam expects you to know the configuration steps, verification commands, and common issues. Here is what to focus on:
1. Exactly What is Tested: You must be able to interpret a scenario and select the correct configuration commands to establish a site-to-site VPN. This includes IKE policy, transform set, crypto ACL, crypto map, and interface application. You will also see show command output questions where you need to identify the state of the tunnel (e.g., QM_IDLE vs MM_NO_STATE) and whether traffic is flowing.
2. Common Wrong Answers and Why Candidates Choose Them:
- *Wrong:* Using crypto ipsec transform-set esp-aes 256 esp-sha-hmac but forgetting to apply it to the crypto map. *Why:* They think defining it is enough, but it must be referenced in the crypto map.
- *Wrong:* Creating a crypto ACL that permits traffic from the local LAN to any, but the remote ACL is the same. *Why:* They don't realize the ACLs must be mirror images (source/destination swapped).
- *Wrong:* Using crypto isakmp key without specifying the peer address. *Why:* They think the key is global, but it must be tied to a specific peer IP.
- *Wrong:* Applying the crypto map to the wrong interface (e.g., the LAN interface instead of the WAN interface). *Why:* They confuse the direction of traffic flow.
3. Specific Values and Command Outputs:
- IKE Phase 1 lifetime default: 86400 seconds (1 day).
- IKE Phase 2 (IPSec) lifetime default: 3600 seconds (1 hour).
- Diffie-Hellman groups: Group 1, 2, 5, 14, 19, 20. Group 14 (2048-bit) is common.
- Encryption: DES (56-bit), 3DES (168-bit), AES-128, AES-256. AES-256 is most secure.
- Hash: MD5 (128-bit), SHA-1 (160-bit), SHA-256 (256-bit). SHA-256 recommended.
- In show crypto isakmp sa, state QM_IDLE means Phase 2 is complete. MM_NO_STATE means no Phase 1.
- In show crypto ipsec sa, look for #pkts encaps and #pkts decaps to confirm traffic flow.
4. Calculation Traps: None directly, but be aware of MTU implications—IPSec adds 50-58 bytes overhead (tunnel mode). If the original packet is 1500 bytes, it will be fragmented. The exam may ask about adjusting the TCP MSS or using ip tcp adjust-mss.
5. Decision Rule for Scenario Questions: If the question asks for the cause of a tunnel not coming up, check for mismatched parameters in this order: (1) IKE policies (encryption, hash, DH group, lifetime), (2) pre-shared keys, (3) transform sets, (4) crypto ACLs (mirror?), (5) peer IP reachability (ping?), (6) interface crypto map application. Use elimination: if the SAs show MM_NO_STATE, it's a Phase 1 issue; if Phase 1 is up but no IPSec SA, it's a Phase 2 issue.
IPSec operates at Layer 3 and provides confidentiality, integrity, authentication, and anti-replay.
IKE Phase 1 (ISAKMP SA) uses UDP port 500; default lifetime 86400 seconds.
IKE Phase 2 (IPSec SA) uses UDP port 4500 for NAT-T; default lifetime 3600 seconds.
ESP provides encryption and integrity; AH provides only integrity (no encryption).
Tunnel mode encrypts the entire original IP packet; transport mode encrypts only the payload.
Crypto ACLs must be mirrored on both peers for site-to-site VPN.
Use 'show crypto isakmp sa' and 'show crypto ipsec sa' for verification.
Common misconfiguration: mismatched transform sets or IKE policies cause tunnel failure.
These come up on the exam all the time. Here's how to tell them apart.
Site-to-Site VPN
Connects two or more entire networks (e.g., branch to HQ).
Uses tunnel mode; entire original packet encrypted.
Crypto ACL defines traffic between LAN subnets.
Peer IPs are usually static (known).
No client software needed; configured on routers/firewalls.
Remote Access VPN
Connects individual remote users to a corporate network.
Often uses transport mode (client to server).
Traffic selectors are typically any-to-corporate subnet.
Peer IPs are dynamic; uses dynamic crypto map or client software.
Requires client software (e.g., Cisco AnyConnect) on the user device.
Mistake
IPSec uses TCP port 500 for IKE.
Correct
IKE uses UDP port 500, not TCP. UDP is used because IKE is a lightweight key exchange protocol that does not need reliability (it retransmits itself).
Candidates often assume all secure protocols use TCP, but IKE uses UDP for performance.
Mistake
AH is more secure than ESP because it authenticates the entire packet.
Correct
ESP can also authenticate the entire packet (tunnel mode) and provides encryption. AH does not encrypt, so it offers no confidentiality. ESP is preferred.
The name 'Authentication Header' sounds like it provides more security, but it lacks encryption.
Mistake
The crypto ACL on both peers must be identical.
Correct
The ACLs must be mirror images: the source on one side becomes the destination on the other, and vice versa. They are not identical.
Candidates think ACLs are symmetric, but they define the direction of interesting traffic.
Mistake
IKE Phase 1 and Phase 2 use the same lifetime.
Correct
IKE Phase 1 default lifetime is 86400 seconds (24 hours), while Phase 2 default is 3600 seconds (1 hour). They are different.
Candidates confuse the two phases; Phase 1 is longer because it is more expensive to re-establish.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
IKE Phase 1 establishes a secure, authenticated tunnel (ISAKMP SA) used to protect IKE negotiations. It uses either Main Mode (6 messages) or Aggressive Mode (3 messages). Phase 2 uses the Phase 1 tunnel to negotiate the IPSec SAs (data protection) using Quick Mode (3 messages). Phase 1 has a longer lifetime (default 86400 seconds) because it is more expensive to set up. Phase 2 lifetime is shorter (default 3600 seconds) because re-keying is faster. For the exam, remember that Phase 1 is for management, Phase 2 is for data.
IKE uses UDP port 500 as its standard port. When NAT traversal (NAT-T) is detected, IPSec encapsulates IKE and ESP packets in UDP port 4500 to avoid issues with NAT devices that might modify IP addresses or ports. NAT-T is automatically negotiated if both peers support it. The exam may ask which port is used for NAT-T (4500).
The crypto ACL (access list) defines which traffic is considered 'interesting' and should be protected by IPSec. It is applied using the `match address` command in the crypto map. Traffic that matches the permit statement is encrypted; traffic that does not match is sent in the clear. For site-to-site VPNs, the ACL on each peer must be the mirror image of the other (source and destination swapped).
This command shows the IPSec security associations (SAs) for each active tunnel. It displays inbound and outbound SAs separately, including the SPI, transform set, lifetime remaining (in kilobytes and seconds), packet counters (encaps/encrypt/decaps/decrypt), and status. If the SAs are active, you should see `Status: ACTIVE`. Packet counters should increment when traffic flows. If counters are zero, no interesting traffic is being sent.
PFS ensures that if a long-term private key is compromised, past session keys are not compromised. It is configured in the crypto map with `set pfs group<group-number>`. When PFS is enabled, a new Diffie-Hellman exchange is performed during IKE Phase 2, generating a fresh key that is independent of the Phase 1 key. The exam may ask about the DH group used for PFS.
Start with `show crypto isakmp sa` to check Phase 1 status. If state is not QM_IDLE, use `debug crypto isakmp` to see negotiation errors. Common issues: mismatched IKE policies (encryption, hash, DH group, lifetime), wrong pre-shared key, or peer unreachable. If Phase 1 is up, check `show crypto ipsec sa`; if no SAs, use `debug crypto ipsec` to see Phase 2 issues like mismatched transform sets or crypto ACLs. Also verify routing and that the crypto map is applied to the correct interface.
In transport mode, only the payload of the original IP packet is encrypted (or authenticated). The original IP header is preserved and not encrypted. This mode is used for host-to-host VPNs (e.g., remote access client to server). In tunnel mode, the entire original IP packet is encapsulated in a new IP packet with a new header. The original header is encrypted. This mode is used for site-to-site VPNs between gateways. The exam expects you to know which mode is used for which scenario.
You've just covered IPSec VPN — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?