IPsec is the suite of protocols that builds encrypted, authenticated tunnels across untrusted networks. Two routers at different sites establish IKE (Internet Key Exchange) sessions, derive crypto material, and then encapsulate IP packets inside ESP (Encapsulating Security Payload) headers. The result: a private virtual link across the public internet. This is a concept lab - a full IPsec lab requires more nodes than CML Free supports and depends on consistent timing across multiple devices.
What you will learn
- The two IPsec phases: IKE Phase 1 (ISAKMP SA) and Phase 2 (IPsec SA)
- The four IPsec modes: tunnel vs transport, ESP vs AH
- The configuration shape for site-to-site IPsec on Cisco IOS XE
- Why GRE-over-IPsec is the most common deployment pattern
What this lab does NOT cover
- Full hands-on configuration (requires consistent timing across multiple nodes)
- FlexVPN (the modern IKEv2-based replacement for legacy IKEv1)
- SSL VPN / AnyConnect
Topology
Concept lab. No .yaml. A typical IPsec site-to-site looks like:
Site A (HQ) Internet Site B (Branch)
R1 ----eBGP/static----- ISP-A -------- ISP-B ----eBGP/static---- R2
Lo0: 10.255.0.1/32 Lo0: 10.255.0.2/32
Inside: 10.1.0.0/24 Inside: 10.2.0.0/24
[IPsec tunnel - source R1, destination R2's public IP]The two IPsec phases
Phase 1 (IKE / ISAKMP)
What it does
Authenticate peers + establish a secure channel for negotiation
LifetimeTypically 24 hours
Phase 2 (IPsec SA)
What it does
Negotiate keys for the actual data encryption
Lifetime
Typically 1 hour, then rekey
