! version 16.6 ! hostname ipsec-rtr-2 ! crypto keyring customer-008-nl vrf dmz-outside pre-shared-key address 10.10.10.1 key 12345 ! crypto logging session ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 lifetime 28800 ! crypto isakmp policy 2 encr aes 256 authentication pre-share group 14 ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp keepalive 30 20 periodic ! crypto isakmp profile customer-008-nl vrf customer-008-nl keyring customer-008-nl match identity address 10.10.10.1 dmz-outside ! crypto ipsec transform-set customer-008-nl esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec nat-transparency spi-matching ! crypto map IPSEC-VPN 200 ipsec-isakmp description customer-008-nl set peer 10.10.10.1 default set security-association lifetime seconds 1800 set transform-set customer-008-nl set pfs group14 match address 151 ! interface GigabitEthernet0/0/0 description DMZ-outside ip vrf forwarding dmz-outside ip address 10.10.10.2 255.255.255.0 no ip redirects negotiation auto crypto map IPSEC-VPN ! interface GigabitEthernet0/0/1 description FW-inside no ip address no ip redirects negotiation auto ! interface GigabitEthernet0/0/1.128 description customer-008 encapsulation dot1Q 128 ip vrf forwarding customer-008-nl ip address 192.168.22.1 255.255.255.0 ! interface GigabitEthernet0/0/2 description Unused no ip address no ip redirects shutdown negotiation auto ! interface GigabitEthernet0 description MGMT vrf forwarding Mgmt-intf ip address 10.47.189.25 255.255.254.0 negotiation auto ! router bgp 64512 bgp router-id 10.10.10.2 bgp log-neighbor-changes ! address-family ipv4 vrf dmz-outside redistribute static exit-address-family ! ip route vrf customer-008-nl 0.0.0.0 0.0.0.0 10.47.174.190 name def-route-customer-008 ip route vrf dmz-outside 192.168.11.0 255.255.255.0 10.10.10.1 name customer-008-nl-sim-1 ! access-list 151 remark ACL to permit/deny encryption @ customer-008 access-list 151 permit ip 192.168.22.0 0.0.0.255 192.168.11.0 0.0.0.255 log ! end