! version 16.6 ! hostname ipsec-rtr-1 ! ip vrf customer-008-nl description used-for-tunnel-test rd 64512:8 route-target import 64512:0 ! ip vrf dmz-outside description Internet rd 64512:0 route-target export 64512:0 ! crypto keyring customer-008-nl vrf dmz-outside pre-shared-key address 10.10.10.2 key 12345 ! crypto logging session ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 lifetime 28800 ! crypto isakmp policy 2 encr aes 256 authentication pre-share group 14 ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp keepalive 30 20 periodic ! crypto isakmp profile customer-008-nl vrf customer-008-nl keyring customer-008-nl match identity address 0.0.0.0 dmz-outside ! crypto ipsec transform-set customer-008-nl esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec nat-transparency spi-matching ! crypto map IPSEC-VPN 200 ipsec-isakmp description customer-008-nl set peer 10.10.10.2 default set security-association lifetime seconds 1800 set transform-set customer-008-nl set pfs group14 match address 151 ! interface GigabitEthernet0/0/0 description DMZ-outside ip vrf forwarding dmz-outside ip address 10.10.10.1 255.255.255.0 no ip redirects negotiation auto crypto map VPN-IPSEC ! interface GigabitEthernet0/0/1 description FW-inside no ip address no ip redirects negotiation auto ! interface GigabitEthernet0/0/1.128 description customer-008 encapsulation dot1Q 128 ip vrf forwarding customer-008-nl ip address 192.168.11.1 255.255.255.0 ! interface GigabitEthernet0/0/2 description Unused no ip address no ip redirects shutdown negotiation auto ! interface GigabitEthernet0 description MGMT vrf forwarding Mgmt-intf ip address 10.47.189.24 255.255.254.0 negotiation auto ! router bgp 64512 bgp router-id 10.10.10.1 bgp log-neighbor-changes ! address-family ipv4 vrf dmz-outside redistribute static exit-address-family ! ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.47.188.1 name def-route-mgmt ip route vrf customer-008-nl 0.0.0.0 0.0.0.0 10.47.174.190 name def-route-customer-008 ip route vrf dmz-outside 192.168.22.0 255.255.255.0 10.10.10.2 name customer-008-nl-sim-1 ! end access-list 151 remark ACL to permit/deny encryption @ customer-008 access-list 151 permit ip 192.168.11.0 0.0.0.255 192.168.22.0 0.0.0.255 log ! end