Cisco CSR Sample Configuration for IPSec

Configuration for two tunnels from TransitAGWs
!Username admin privilege level 15 password ave
crypto keyring mykey
  pre-shared-key address 34.217.166.158 key aviatrix
  pre-shared-key address 54.70.4.223 key aviatrix
!
! 34.217.166.158 is the public IP address of NV-TransitAGW1
! 54.70.4.223 is the public IP address of NV-TransitAGW2
crypto isakmp policy 1
 encryption aes 256
 authentication pre-share
 hash sha256
 group 14
 lifetime 28800
!
crypto isakmp keepalive 10 3 periodic
!
crypto isakmp profile myprofile
  keyring mykey
  self-identity address
  match identity address 34.217.166.158 255.255.255.255 
  match identity address 54.70.4.223 255.255.255.255
  !
crypto ipsec transform-set myset esp-aes 256 esp-sha256-hmac 
 mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec_profile
 set security-association lifetime seconds 3600
 set transform-set myset 
 set pfs group14
 set isakmp-profile myprofile
 !
!
interface Tunnel0
 ip address 169.254.34.241 255.255.255.252
 ip tcp adjust-mss 1387
!!!!!
 tunnel source g1
!!!10.4.115.219is the local IP of this CSR
 tunnel mode ipsec ipv4
 tunnel destination 34.217.166.158
!!!34.217.166.158 is the public IP of the NV-TransitAW1
 tunnel protection ipsec profile ipsec_profile
!
interface Tunnel1
 ip address 169.254.247.241 255.255.255.252
 ip tcp adjust-mss 1387
!!!!!
 tunnel source g1
!!!10.4.115.219is the local IP of this CSR
 tunnel mode ipsec ipv4
 tunnel destination 54.70.4.223
!!!54.70.4.223 is the public IP of the NVTransitAGW2
 tunnel protection ipsec profile ipsec_profile
!
router bgp 65014
 bgp log-neighbor-changes
 neighbor 169.254.34.242 remote-as 65013
 neighbor 169.254.34.242 timers 10 30 30
 neighbor 169.254.247.242 remote-as 65013
 neighbor 169.254.247.242 timers 10 30 30
 !
 address-family ipv4
 redistribute connected
 neighbor 169.254.34.242 activate
 neighbor 169.254.34.242 route-map ORDC2CSR1-TO-ORTransit out
 neighbor 169.254.247.242 activate
 neighbor 169.254.247.242 route-map ORDC2CSR1-TO-ORTransit out
 exit-address-family
!
!
ip access-list standard 1
 10 permit 10.201.0.0
!
!
route-map ORDC2CSR1-TO-ORTransit permit 10 
 match ip address 1
!
end

Leave a Reply