interface gig0/0/0 no description To_XYZ_WAN no ip address negotiation auto ! ! interface ATM0/3/0 no ip address no atm enable-ilmi-trap no sh ! interface ATM0/3/0.1 point-to-point description To_XYZ_WAN ip address 10.149.196.68 255.255.255.248 atm route-bridged ip no atm enable-ilmi-trap pvc 8/81 encapsulation aal5snap no sh ! vlan 65 name GFT_Branch ! interface vlan65 ip address 10.10.65.1 255.255.255.0 no sh ! interface ran GigabitEthernet0/1/0-3 switchport mode access switchport access vlan 65 no shut ! controller Cellular 0/2/0 lte sim data-profile 1 attach-profile 1 slot 0 lte modem link-recovery disable ! interface Cellular0/2/0 ip address neg no shutdown dialer in-band dialer idle-timeout 0 dialer watch-group 1 dialer-group 1 pulse-time 1 ! ******************DHCP*********************** ! ip dhcp excluded-address 10.10.65.1 10.10.65.254 ! ip dhcp pool XYZ_GFT_Branch_DHCP network 10.10.65.0 255.255.255.0 default-router 10.10.65.1 dns-server 8.8.8.8 213.55.96.148 4.2.2.1 ! ****************FlexVPN********************** #Enable AAA aaa new-model aaa authorization network XYZ-AAA local #phase 1 #IKEv2 Authorisation Policy crypto ikev2 authorization policy XYZ-AUTH-POLICY route set access-list XYZ-GFT-Subnets route set interface #Define ikev2 proposal crypto ikev2 proposal XYZ-IkeV2-proposal encryption aes-cbc-192 integrity sha256 group 15 ! #Define ikev2 policy crypto ikev2 policy XYZ-IkeV2-POLICY match fvrf any proposal XYZ-IkeV2-proposal #Define the local subnets to be encrypted ip access-list standard XYZ-GFT-Subnets permit 10.10.65.0 0.0.0.255 #IKEv2 Keyring crypto ikev2 keyring XYZ-KRing peer XYZ-Keys description XYZ-Keyring-1 address 0.0.0.0 0.0.0.0 pre-shared-key local XYZ-pass-213 pre-shared-key remote XYZ-pass-123 #IKEv2 Profile crypto ikev2 profile XYZ-IkeyV2-profile description To_XYZ_HQ_Hubs match identity remote fqdn hub.XYZ.local identity local address 172.27.120.248 authentication remote pre-share authentication local pre-share keyring local XYZ-KRing dpd 30 2 on-demand aaa authorization group psk list XYZ-AAA XYZ-AUTH-POLICY #IKEv2 Profile 2 crypto ikev2 profile XYZ-IkeyV2-profile-2 description To_XYZ_HQ_Hubs match identity remote fqdn hub.XYZ.local identity local address 10.149.196.68 authentication remote pre-share authentication local pre-share keyring local XYZ-KRing dpd 30 2 on-demand aaa authorization group psk list XYZ-AAA XYZ-AUTH-POLICY #Phase II IPSec crypto ipsec transform-set XYZ-TSET esp-gcm mode tunnel #IPSec Profile crypto ipsec profile XYZ-IPSec-Prf set transform-set XYZ-TSET set ikev2-profile XYZ-IkeyV2-profile #IPSec Profile crypto ipsec profile XYZ-IPSec-Prf-2 set transform-set XYZ-TSET set ikev2-profile XYZ-IkeyV2-profile-2 #Create the tunnel interface 0 interface Tunnel0 description To_XYZ_HQ_Hubs ip address negotiated ip mtu 1400 ip tcp adjust-mss 1360 tunnel source Cellular0/2/0 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile XYZ-IPSec-Prf #Create the tunnel interface 2 interface Tunnel2 description To_XYZ_HQ_Hubs ip address negotiated ip mtu 1400 ip tcp adjust-mss 1360 tunnel source ATM0/3/0.1 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile XYZ-IPSec-Prf-2 ! #Create the FlexVPN Client Profile crypto ikev2 client flexvpn XYZ-FlexVPN peer 1 10.10.23.17 track 1 peer 2 10.10.23.18 track 2 peer 3 10.133.207.50 track 3 peer reactivate client connect Tunnel0 #Create the FlexVPN Client Profile -2 crypto ikev2 client flexvpn XYZ-FlexVPN-2 peer 1 10.10.23.17 track 1 peer 2 10.10.23.18 track 2 peer 3 10.133.207.50 track 3 peer reactivate client connect Tunnel2 ****************Routing****************************** #BGP router bgp 100 bgp log-neighbor-changes neighbor 10.10.8.1 remote-as 100 ! address-family ipv4 network 10.10.65.0 mask 255.255.255.0 neighbor 10.10.8.1 activate exit-address-family ip route 10.10.23.16 255.255.255.248 10.149.196.65 ip route 10.10.23.17 255.255.255.255 Cellular0/2/0 ip route 10.10.23.18 255.255.255.255 Cellular0/2/0 ip nat inside source list 100 interface Cellular0/2/0 overload access-list 1 permit 10.10.65.0 0.0.0.255 access-list 100 permit ip any any dialer-list 1 protocol ip permit #***************Peer Tracking**************************** ip sla 1 icmp-echo 10.10.23.17 ip sla 2 icmp-echo 10.10.23.18 ip sla 3 icmp-echo 10.133.207.50 ! ip sla schedule 1 life forever start-time now ip sla schedule 2 life forever start-time now ip sla schedule 3 life forever start-time now ! track 1 ip sla 1 reachability track 2 ip sla 2 reachability track 3 ip sla 3 reachability ! **************secure access************************** conf t ip name-server 8.8.8.8 ! ! ! ip domain lookup ip domain lookup source-interface atm0/3/0.1 ip http server ip http authentication local no ip http secure-server ip http secure-client-auth ip http client source-interface atm0/3/0.1 interface ATM0/3/0 mtu 1500 interface ATM0/3/0.1 mtu 1500 exit snmp-server community XYZP0rtnox RO snmp-server host 10.10.42.11 XYZP0rtnox snmp-server host 10.10.42.12 XYZP0rtnox snmp-server enable traps snmp linkup linkdown snmp-server ifindex persist do wr ! enable sec p@$$w)rd ! line con 0 password p@$$w)rd #login ! line vty 0 15 access-class Device-MGMT in privilege level 15 transport input ssh password 0 p@$$w)rd #login exit ! service password-encryption ! ip http server ip http secure-server ip http authentication local username XYZnet privilege 15 password 0 p@$$w)rd ip access-list standard Device-MGMT permit 10.10.1.0 0.0.0.255 permit 10.10.24.0 0.0.0.255 permit 10.10.20.0 0.0.0.255 permit 10.10.65.30 0.0.0.0 permit any