ip-100-64-128-6#sh run Building configuration... Current configuration : 8902 bytes ! ! ! version 16.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no platform punt-keepalive disable-kernel-core platform console virtual ! hostname ip-100-64-128-6 ! boot-start-marker boot-end-marker ! ! logging persistent size 1000000 filesize 8192 immediate ! no aaa new-model ! ip vrf default description Internet VRF rd 64512:100 ! ip vrf temp rd 64512:101 ! ip vrf vpn-ea76668b rd 64512:1 route-target export 64512:0 route-target import 64512:0 ! ip vrf vpn-ec76668d rd 64512:3 route-target export 64512:0 route-target import 64512:0 ! ip vrf vpn0 rd 64512:0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! subscriber templating ! ! ! multilink bundle-name authenticated ! ! ! ! ! crypto pki trustpoint TP-self-signed-2236400821 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2236400821 revocation-check none rsakeypair TP-self-signed-2236400821 ! ! ! ! ! ! ! license udi pid CSR1000V diagnostic bootup level minimal ! spanning-tree extend system-id ! username ec2-user privilege 15 secret 5 ! redundancy ! ! ! ! ! ! ! crypto keyring internet-keyring vrf default local-address 100.64.128.6 default pre-shared-key address key crypto keyring keyring-vpn-ec76668d-4 local-address GigabitEthernet1 pre-shared-key address key crypto keyring keyring-vpn-ec76668d-3 local-address GigabitEthernet1 pre-shared-key address key crypto keyring keyring-vpn-ea76668b-2 local-address GigabitEthernet1 pre-shared-key address key crypto keyring keyring-vpn-ea76668b-1 local-address GigabitEthernet1 pre-shared-key address key ! ! ! ! ! crypto isakmp policy 200 encr aes authentication pre-share group 2 lifetime 28800 crypto isakmp keepalive 10 10 crypto isakmp profile csr-to-asa vrf vpn-ea76668b keyring internet-keyring match identity address default isakmp authorization list default local-address 100.64.128.6 default ! crypto ipsec security-association replay window-size 1024 ! crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes esp-sha-hmac mode tunnel crypto ipsec transform-set test esp-aes esp-sha-hmac mode tunnel crypto ipsec df-bit clear ! ! crypto ipsec profile ipsec-vpn-aws set transform-set ipsec-prop-vpn-aws set pfs group2 ! ! crypto map csr-to-asa 10 ipsec-isakmp set peer set transform-set test set pfs group2 set isakmp-profile csr-to-asa match address csr-to-asa reverse-route static ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback1 ip vrf forwarding vpn-ea76668b ip address 10.8.0.1 255.255.255.255 ! interface GigabitEthernet1 ip vrf forwarding default ip address dhcp negotiation auto crypto map csr-to-asa ! interface GigabitEthernet2 ip vrf forwarding temp ip address dhcp negotiation auto ! ! virtual-service csr_mgmt ip shared host-interface GigabitEthernet1 activate ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ! ip route vrf vpn-ea76668b 255.255.255.255 GigabitEthernet1 100.64.128.1 ip ssh rsa keypair-name ssh-key ip ssh version 2 ip ssh pubkey-chain username ec2-user key-hash ssh-rsa ec2-user username automate key-hash ssh-rsa ip ssh server algorithm authentication publickey ip scp server enable ! ip access-list extended BUF-FILTER permit ip any any ip access-list extended csr-to-asa permit ip 10.8.0.0 0.0.255.255 10.10.0.0 0.0.255.255 log permit ip 10.7.0.0 0.0.255.255 10.10.0.0 0.0.255.255 log ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 stopbits 1 line vty 0 4 login local transport input ssh ! ! ! ! ! ! end