VPN establishment between Hirschmann Eagle20 and Cisco router (2811)

cisco router and eagle20 vpn set up demonstration

The purpose of VPN is to secure the confidentiality of the communication between two sites by using encryption. Two tunnels are set up, the first tunnel is for Diffie Hellman key exchange, the second tunnel is for data transmission either in transport or tunnel mode. Transport mode in addition to what tunnel mode is doing obscures the layer 4 information while sending data over the IPsec tunnel.

Cisco router configuration

Define the traffic that needs to be encrypted

ip access-list extended vpn-traffic
 permit ip host host
 remark "Host to host has to be encrypted"

Define phase 1 proposal

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2

The default is using SHA for integrity checking (hash), default lifetime is 1 day which is 86400 seconds. The default commands are not shown in the list above.

Define the pre-share key for phase 1

crypto isakmp key cyruslab address

Define IPsec transform set / proposal
Transform set is also known as IPsec proposal, the encryption and integrity checking (HMAC) to be used for data transmission.

crypto ipsec transform-set cisco->eagle_set esp-aes esp-sha-hmac

Create a crypto map that includes phase 2 proposal
The crypto map will be applied to the interface that initiates or responds to vpn establishment. The crypto map contains the IPsec proposal, the traffic that has to be encrypted, the peer vpn device, the perfect forward secrecy DF group for DF key generation.

crypto map cisco->eagle_map 1 ipsec-isakmp
 set peer
 set transform-set cisco->eagle_set
 set pfs group2
 match address vpn-traffic

Apply the crypto map to the interface

interface FastEthernet0/0
 ip address
 duplex auto
 speed auto
 crypto map cisco->eagle_map

Static default route
Insert a static route, since this setup only has one exit and entrance point a static default route is fine.

ip route

Hirschmann Eagle20 configuration
It is encourage to use the web interface to configure vpn, Hirschmann provides a Wizard to setup VPN easily. However I will show you how to use command line first.

Make sure Eagle20 is in routed mode
As of Eagle20 old platform software version SDV 5.2, VPN can only be configured in routed mode.

!(Hirschmann Eagle) #show network mode

Network mode
operating mode..........................router

!(Hirschmann Eagle) #

To change the mode use network mode router command under privilege exec mode.

You will need to assign IP address on the trusted and untrusted interface, the vpn tunnel will be established from the untrusted interface.

!(Hirschmann Eagle) #network router param ext ip-address

!(Hirschmann Eagle) #network router param ext netmask
!*(Hirschmann Eagle) #network router param int ip-address

!*(Hirschmann Eagle) #network router param int netmask

!*(Hirschmann Eagle) #save


!(Hirschmann Eagle) #

Make sure the interfaces are configured correctly.

!(Hirschmann Eagle) #show network router params

Index IP-Addr         Netmask         use VLAN VLAN   protocol
----- --------------- --------------- -------- ------ --------
int   disable  1      none
ext disable  1      none

!(Hirschmann Eagle) #

Define static route
Strange thing about Eagle20 firewall is that it does not have ways to do default route that matches all prefixes, you need to define the subnet and prefix explicitly.

!(Hirschmann Eagle) #network router route add interface ext ip-address mask gateway
!(Hirschmann Eagle) #save


To ensure the route is configured.

!(Hirschmann Eagle) #show network router route

Index IP-Addr         Netmask         Gateway         Intf. Status
----- --------------- --------------- --------------- ----- ------
ext        ext   [x]

!*(Hirschmann Eagle) #

Make sure the status has a [x], usually after you have inserted a static route the status will be crossed, if not you can use the command:

!*(Hirschmann Eagle) #network router route status interface ext ip-address mask enable

If you receive an error that looks like this Error: Command execution failed 'mask'
when you are trying to enable the route, make sure your mode is router mode and not transparent mode.

Configuring vpn with command line
To check if there are existing vpn connections setting use this command:

!(Hirschmann Eagle) (config)#show vpn connections summary

No. Description                   Servicemode Active Status
--- ----------------------------- ----------- ------ ---------

!(Hirschmann Eagle) (config)#

Add an entry for vpn connection:

!(Hirschmann Eagle) (config)#vpn connection add 1 name eagle_to_cisco

Configure the vpn access in the first entry:

!*(Hirschmann Eagle) (config)#vpn connection modify 1 access method psk pre-shared-key cyruslab local-type default remote-type any

The vpn peers use ip address to be their own ID by default if you choose to use pre-share-key. remote-type any means you set Eagle20 not to check the ID of the incoming VPN peer that wishes to establish a VPN connection, this is a lab to demonstrate but it is not an good idea not to check.

Configure the phase 2 proposal:

!*(Hirschmann Eagle) (config)#vpn connection modify 1 data-exchange algorithms key-agreement modp1024 integrity hmacsha1 encryption aes128
!*(Hirschmann Eagle) (config)#vpn connection modify 1 data-exchange mode encapsulation tunnel lifetime 28800

modp1024 is actually Diffie Hellman group 2 which uses 1024-bit length. Eagle20 maximum phase 2 lifetime is 28800 seconds. This is actually the proposal for ipsec tunnel which is the phase 2 tunnel for data exchange.

Configure the phase 1 proposal:

!*(Hirschmann Eagle) (config)#vpn connection modify 1 key-exchange algorithms key-agreement modp1024 hash sha1 integrity hmacsha1 encryption aes128
!*(Hirschmann Eagle) (config)#vpn connection modify 1 key-exchange mode protocol v1
!*(Hirschmann Eagle) (config)#vpn connection modify 1 key-exchange mode startup initiator

I use IKE version 1 for this set up. Cisco router seems to be a responder so I make Eagle20 to be the initiator.

To define the peer:

!*(Hirschmann Eagle) (config)#vpn connection modify 1 key-exchange endpoints local-address remote-address

Define the interesting traffic:
First define the profile of the traffic-selector, Eagle20 vpn setup will only work if you use specific host, for some reason I never make it work when I specify a subnet with prefix.

!*(Hirschmann Eagle) (config)#vpn traffic-selector 1 add 1 name eagle-to-cisco

The command vpn traffic-selector 1 actually means to associate the traffic selector to the first entry of the vpn connection profile.

!*(Hirschmann Eagle) (config)#vpn traffic-selector 1 modify 1 source-net dest-net

Enable the traffic selector and vpn connection

!(Hirschmann Eagle) (config)#vpn traffic-selector 1 status 1 enable
!(Hirschmann Eagle) (config)#vpn connection status 1 enable

!(Hirschmann Eagle) (config)#save


If you receive an error Error: Command execution failed 'status'
while enabling vpn connection, your vpn connection profile configuration could be incomplete such as you have forgotten to put the peer address.

To check if the vpn tunnel is up for Hirschmann Eagle20:

!*(Hirschmann Eagle) (config)#show vpn connections summary

No. Description                   Servicemode Active Status
--- ----------------------------- ----------- ------ ---------
1   eagle_to_cisco                disabled     [x]    up

!*(Hirschmann Eagle) (config)#

To check if vpn connection is up for Cisco router:

Router#show crypto isakmp sa
dst             src             state          conn-id slot status        QM_IDLE              1    0 ACTIVE

This entry was posted in Security, VPN and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s