r2# ! version 15.7 ! hostname r2 ! vrf definition BLUE rd 1:1 ! address-family ipv4 route-target export 1:1 route-target import 1:1 exit-address-family ! vrf definition RED rd 1:2 ! address-family ipv4 route-target export 1:2 route-target import 1:2 exit-address-family ! aaa new-model ! !aaa authorization network default local ! aaa session-id common ! ip domain name lab.net ip name-server 198.51.100.5 ip cef ! crypto pki trustpoint Trusted-CA enrollment url http://198.51.100.5:80 fqdn r2.lab.net subject-name CN=r2,O=lab.net revocation-check none rsakeypair r2.lab.net ! ! crypto pki certificate chain Trusted-CA certificate 03 308202A2 3082020B A0030201 02020103 300D0609 2A864886 F70D0101 05050030 1F311030 0E060355 040A1307 6C61622E 6E657431 0B300906 03550403 13024341 301E170D 32303132 30323130 32343036 5A170D32 31313230 32313032 3430365A 303A3110 300E0603 55040A13 076C6162 2E6E6574 310B3009 06035504 03130272 32311930 1706092A 864886F7 0D010902 160A7232 2E6C6162 2E6E6574 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00A7B4ED CCA0B713 560B4FDD 0234ADC5 31903055 4416E494 4273D31B A2EC5F77 59406AF1 CCE854E6 21667111 7572DBDD 83C3EF08 8C08909E EB5F3821 68473711 5D52F1A8 31EDA54A B5253242 1B89E838 29CC28AB 7BAEFD45 72C502EB 12A1990A 60351E1A CF2F8703 F70BF675 B1B1C770 B8FB142C 42126599 885EDC9B 38480557 29C5FA88 F624CA25 B352647C 81ADEDED 4228E855 92046B7D 0D123F7F 48A328C9 3016115E CF80C7F5 5474EB2B 4BDAF99D 9EE4C4D9 4859F863 B8E2A035 31288B2F 25CD6B0A ED26C122 C0BA3A5A 01CB0DF7 B3B7E154 9480BD4C 57C0EE84 962F9627 10CCB969 3F3DB7EC CF3F5910 FDE49F4F 3D137D5A 0FC9EC05 93765F00 C22707E8 B5020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355 1D230418 30168014 CE5D23C5 32661A94 D49A5C24 2F36E039 832519EE 301D0603 551D0E04 16041445 E8A86BFD CD42FBF0 CF4B4380 B4CD7E4F D5C8D330 0D06092A 864886F7 0D010105 05000381 81003791 7206F02B 8B694CC5 55BD1C42 064DF419 4F990E2C 68036707 9F1A251D C07F333E E795E08F ADDA8DDD BCFFC11A 8FDF8D68 735215F1 61E8BD86 D5382360 56DFD798 43B4B28E 1B543499 782C12E7 77EA4410 8E761D41 7110C455 DD32B510 24245901 6BD59DA9 A1320C41 651C6EF3 7A429680 1E6FB2DA D3F52C57 DEEAC42E 09A4 quit certificate ca 01 30820217 30820180 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 1F311030 0E060355 040A1307 6C61622E 6E657431 0B300906 03550403 13024341 301E170D 32303132 30323130 30313133 5A170D32 33313230 32313030 3131335A 301F3110 300E0603 55040A13 076C6162 2E6E6574 310B3009 06035504 03130243 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C476 63DFDA03 7AE04999 E78AE007 629E0072 491515F4 2C86526D 33DAA613 545EC205 DEACCBE0 7FEF686E 04CB1232 402D1AB9 C73E3E41 0E39F3BD 919DB3A0 046C1A7D 4E94E2CF CA9FDF4A E704F386 CE7B2A17 5F12CF67 3A13D4B4 B3DE869A 61699DD8 AF38FFBA F197C8F4 29703D8B 5622B98C 1583320D D60A4F8F 63AA6042 F6410203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14CE5D23 C532661A 94D49A5C 242F36E0 39832519 EE301D06 03551D0E 04160414 CE5D23C5 32661A94 D49A5C24 2F36E039 832519EE 300D0609 2A864886 F70D0101 04050003 81810071 21C78262 7E0881C6 89209613 6671FCA3 8D52294B 1E9E28C1 5D1006A8 A9E452FF 142C0CE2 29C0518C 1FA6E189 057FD42F 86F61C44 030A358F 1B25AA67 D4FC8E01 E3484335 6AB3936D 1046A726 18E91ECA 194B1C21 88F7BFD2 5624D298 4FAED747 3174DE9C F68E4224 DFEC51AC F5E32FFE A48AC258 695B6074 D0D47B70 79F0F1 quit ! redundancy ! no cdp log mismatch duplex ! crypto ikev2 authorization policy default route set interface Loopback1 route set interface ! crypto ikev2 profile default match identity remote fqdn domain lab.net identity local fqdn r2.lab.net authentication remote rsa-sig authentication local rsa-sig pki trustpoint Trusted-CA aaa authorization group cert list default default local virtual-template 1 ! crypto ipsec profile default no set security-association dfbit set security-association lifetime kilobytes 4608000 set security-association lifetime seconds 3600 no set security-association idle-time no set security-association replay window-size set security-association dummy set security-association ecn set ikev2-profile default ! interface Loopback1 ip address 10.1.30.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback1 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 mpls nhrp tunnel source GigabitEthernet0/2 tunnel destination 198.51.100.7 tunnel protection ipsec profile default ! interface GigabitEthernet0/1 vrf forwarding BLUE ip address 10.1.20.1 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 description INTERNET ip address 198.51.100.3 255.255.255.254 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 vrf forwarding RED ip address 10.1.21.1 255.255.255.0 duplex auto speed auto media-type rj45 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 mpls nhrp tunnel protection ipsec profile default ! router bgp 1 bgp log-neighbor-changes neighbor 10.1.2.100 remote-as 1 neighbor 10.1.30.0 remote-as 1 neighbor 10.1.30.0 update-source Loopback1 ! address-family vpnv4 neighbor 10.1.2.100 activate neighbor 10.1.2.100 send-community extended neighbor 10.1.30.0 activate neighbor 10.1.30.0 send-community extended exit-address-family ! address-family ipv4 vrf BLUE redistribute connected exit-address-family ! address-family ipv4 vrf RED redistribute connected exit-address-family ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 198.51.100.2 ! ip access-list standard FLEX_TRAFFIC permit 10.1.20.0 0.0.0.255 ! ntp server 198.51.100.5 ! end