IKEv2 IPsec VPN unlike standard IPsec VPN and IKEv1 VPN does not have the "phase concept". In IKEv2, there is one tunnel for the control channel called "IKE tunnel" and a second tunnel for the user traffic called "child tunnel" which is the IPsec Tunnel. Please create a IPSEC VPN with the following parameters Remote Site ID EGCAI01 Firewall/router CISCO2911 - C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M1 Public IP addresses 1x.2x.80.2x for EGCAI01 ( my network ) 19x.2x7.1xx.1xx FOR NLAMS02E ( head office) IKE Phase 1 IKE version 2 Diffie-Hellman group 14 Encryption algorithm AES256 Authentication algorithm SHA256 Authentication method Pre-shared key Pre-shared key xxxxxxxxx Key lifetime 86400 Dead peer detection Enabled IKE Phase 2 IPsec protocol ESP (Tunnel mode) Encryption algorithm AES256 Authentication algorithm SHA256 Key lifetime 28800 Perfect Forward Secrecy Enabled, Diffie-Hellman group 5 Replay Protection Enabled Keep Alive Disabled Phase 2 selectors: Local subnets: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 Remote subnets: 192.168.0.0/20 IKEv2 Configuration Steps: Keyring Proposal Profile Policy ACL Transform Set Crypto Map (including Peer, ACL, and Transform Set) Apply to interface Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname CISCO2911-EGCAI01 CISCO2911-EGCAI01(config)#exit CISCO2911-EGCAI01# ---------------------------- CISCO2911-EGCAI01#configure terminal Enter configuration commands, one per line. End with CNTL/Z. CISCO2911-EGCAI01(config)#ip domain name xxx.nxx.loxxx CISCO2911-EGCAI01(config)#exit CISCO2911-EGCAI01# ------------------------------------------------------------------ CISCO2911-EGCAI01#configure terminal CISCO2911-EGCAI01(config)#crypto ikev2 keyring KR-1 CISCO2911-EGCAI01(config-ikev2-keyring)#peer NLAMS02E CISCO2911-EGCAI01(config-ikev2-keyring-peer)#address 19x.2x7.1xx.1xx CISCO2911-EGCAI01(config-ikev2-keyring-peer)#pre-shared-key xxxxxxxx CISCO2911-EGCAI01(config-ikev2-keyring-peer)#exit CISCO2911-EGCAI01(config-ikev2-keyring)#exit CISCO2911-EGCAI01(config)#exit ---------------------------------- CISCO2911-EGCAI01#configure terminal CISCO2911-EGCAI01(config)#crypto ikev2 proposal PROP-NLAMS02E CISCO2911-EGCAI01(config-ikev2-proposal)#encryption aes-cbc-256 CISCO2911-EGCAI01(config-ikev2-proposal)#integrity sha256 CISCO2911-EGCAI01(config-ikev2-proposal)#group 14 CISCO2911-EGCAI01(config-ikev2-proposal)#exit CISCO2911-EGCAI01(config)#exit CISCO2911-EGCAI01#exit --------------------------------------------------- CISCO2911-EGCAI01#configure terminal CISCO2911-EGCAI01(config)#crypto ikev2 policy POL-NLAMS02E CISCO2911-EGCAI01(config-ikev2-policy)#proposal PROP-NLAMS02E CISCO2911-EGCAI01(config-ikev2-policy)#exit CISCO2911-EGCAI01(config)#exit -------------------------------------------------- CISCO2911-EGCAI01#configure terminal CISCO2911-EGCAI01(config)#ip access-list extended VPN-ACL CISCO2911-EGCAI01(config-ext-nacl)#remark Link from to the EGCAI01-NLAMS02E-Fortigate3951 CISCO2911-EGCAI01(config-ext-nacl)#permit ip object-group EGCAI01_remote object-group FC-EGCAI01_local CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group DNS-Servers eq 53 CISCO2911-EGCAI01(config-ext-nacl)#permit udp object-group EGCAI01_remote object-group DNS-Servers eq 53 CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group SAP-Servers range 3200 3399 CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group SAP-Servers range 8000 8099 CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group SAP-Servers range 50000 59900 CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group SAP-Servers range 3600 3699 CISCO2911-EGCAI01(config-ext-nacl)#permit object-group AD-Services object-group EGCAI01_remote object-group Wipro-DC CISCO2911-EGCAI01(config-ext-nacl)#permit object-group SCCM-Services object-group EGCAI01_remote object-group Wipro-DC CISCO2911-EGCAI01(config-ext-nacl)#permit tcp object-group EGCAI01_remote object-group FC-EGCAI01_local eq 389 CISCO2911-EGCAI01(config-ext-nacl)#permit ldap object-group EGCAI01_remote object-group FC-EGCAI01_local eq 389 CISCO2911-EGCAI01(config-ext-nacl)#permit object-group FC-DC-SERVICES object-group EGCAI01_remote object-group FC-Domain-Controller CISCO2911-EGCAI01(config-ext-nacl)#permit ip object-group EGCAI01_remote object-group Other-APPS CISCO2911-EGCAI01(config)#exit ---------------------------------- object-group network any-ipv4 0.0.0.0/0 object-group network FC-EGCAI01_local description FC-NW 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 object-group network EGCAI01_remote description EGY-LOCAL-NW 192.168.0.0/20 object-group network SAP-Servers description SAP-SYSTEMS host 10.112.36.114 host 10.112.40.121 host 10.112.41.116 host 10.11.2.23 host 10.112.2.37 host 10.174.12.16 host 10.114.168.46 host 10.21.111.2 host 10.21.12.21 host 10.21.172.65 host 10.221.152.5 host 10.250.19.15 host 10.251.129.15 host 10.255.1.71 host 10.58.0.117 host 10.5.1.21 host 10.38.5.7 host 10.81.157.11 host 10.81.28.1 host 10.88.39.112 host 10.88.39.154 host 10.89.31.1 host 172.30.115.30 host 172.30.101.107 host 172.30.16.20 host 172.30.39.6 host 192.168.15.6 host 10.27.64.1 host 10.207.96.6 host 10.212.12.21 host 10.22.22.23 host 10.232.199.57 host 10.38.2.175 host 10.12.132.60 host 10.20.122.2 object-group network DNS-Servers description FC-DNS host 10.11.0.111 host 10.11.0.211 object-group network FC-Domain-Controller description FC-DC host 10.230.12.103 object-group network Wipro-DC description DWP-WIPRO-NW 10.33.0.0/24 10.33.4.0/24 10.33.5.0/24 10.33.150.0/24 10.50.143.0/25 object-group network Other-APPS description MSTR-HFM-BASWARE-DSP host 10.154.20.156 host 10.225.22.5  host 10.129.6.6 host 10.127.8.125 host 10.220.225.5 host 10.162.50.50 host 10.120.61.20 host 10.189.8.42 host 10.1283.32.183 host 10.233.139.57 host 172.32.39.20 host 13.33.0.217 host 13.215.12.23 host 13.35.1.5 ------------------- object-group service SERVICE-LDAP description FC-LDAP tcp 389 ldap-389 object-group service AD-Services description wipro-AD TCP 25 tcp-udp 53 udp 67 udp 68 udp 88 udp 123 tcp 135 udp 137 udp 138 upd 139 tcp 389 udp 389 tcp 445 udp 445 tcp 464 udp 464 tcp 636 tcp 3268 tcp 3269 tcp 5722 tcp 9389 tcp-udp range 49152-65535 object-group service SCCM-Services description wipro-SCCM tcp 135 udp 137 udp 138 tcp 1433 udp 1779 tcp 2701 tcp 3268 tcp-udp 445 tcp 5080 tcp 5443 tcp 80 tcp 8530 object-group service FC-DC-SERVICES description FC-DC-SERVICES tcp range 1024-65535 udp 123 tcp-udp 135 udp 137 udp 138 tcp 139 tcp 1688 tcp 3268 tcp 3269 tcp-udp 389 tcp-udp 42 tcp-udp 445 tcp-udp 464 udp range 49152-65535 tcp-udp 53 tcp 53248 tcp 5722 tcp 57344 tcp-udp 636 tcp 647 udp 67 tcp-udp 88 tcp 44 tcp 80 tcp 9389 ------------------------------------- CISCO2911-EGCAI01#configure terminal CISCO2911-EGCAI01(config)#crypto ipsec transform-set NLAMS02E-TS esp-aes 256 esp-sha256-hmac CISCO2911-EGCAI01(cfg-crypto-trans)# mode tunnel ---- not sure CISCO2911-EGCAI01(cfg-crypto-trans)#exit CISCO2911-EGCAI01(config)#exit -------------------------------------------------- ISCO2911-EGCAI01#configure terminal CISCO2911-EGCAI01(config)#crypto ikev2 profile NLAMS02E-PROFILE CISCO2911-EGCAI01(config-ikev2-profile)#match identity remote address 19x.2x7.1xx.1xx 255.255.255.255 CISCO2911-EGCAI01(config-ikev2-profile)#match address local 1x.2x.80.2x ---- not sure CISCO2911-EGCAI01(config-ikev2-profile)#authentication local pre-share CISCO2911-EGCAI01(config-ikev2-profile)#authentication remote pre-share CISCO2911-EGCAI01(config-ikev2-profile)#keyring local KR-1 CISCO2911-EGCAI01(config-ikev2-profile)#lifetime 86400 CISCO2911-EGCAI01(config-ikev2-profile)#exit CISCO2911-EGCAI01(config)#exit CISCO2911-EGCAI01# ------------------------------------------ CISCO2911-EGCAI01#configure terminal CISCO2911-EGCAI01(config)#crypto map CMAP-NLAMS02E 10 ipsec-isakmp CISCO2911-EGCAI01(config-crypto-map)#set peer 19x.2x7.1xx.1xx CISCO2911-EGCAI01(config-crypto-map)#set pfs group5 CISCO2911-EGCAI01(config-crypto-map)#set security-association lifetime seconds 28800 CISCO2911-EGCAI01(config-crypto-map)#set transform-set NLAMS02E-TS CISCO2911-EGCAI01(config-crypto-map)#set ikev2-profile NLAMS02E-PROFILE CISCO2911-EGCAI01(config-crypto-map)#match address VPN-ACL CISCO2911-EGCAI01(config-crypto-map)#exit CISCO2911-EGCAI01(config)#exit ------------------------------------------------------------------- CISCO2911-EGCAI01(config)#interface GigabitEthernet0/1 CISCO2911-EGCAI01(config-if)# description connected to WAN CISCO2911-EGCAI01(config-if)# no ip address CISCO2911-EGCAI01(config-if)# ip flow ingress CISCO2911-EGCAI01(config-if)# ip flow egress CISCO2911-EGCAI01(config-if)# ip nat outside CISCO2911-EGCAI01(config-if)# ip virtual-reassembly in CISCO2911-EGCAI01(config-if)# duplex auto CISCO2911-EGCAI01(config-if)# speed auto CISCO2911-EGCAI01(config-if)# no mop enabled CISCO2911-EGCAI01(config-if)#exit CISCO2911-EGCAI01(config)#exit ! CISCO2911-EGCAI01(config)interface GigabitEthernet0/1.328 CISCO2911-EGCAI01(config-subif)# description connected to PRIMARY_ISP CISCO2911-EGCAI01(config-subif)# encapsulation dot1Q 328 CISCO2911-EGCAI01(config-subif)# ip address 172.19.x.x 255.255.255.252 secondary CISCO2911-EGCAI01(config-subif)# ip address 196.2x.x.x 255.255.255.248 (this is public ip) CISCO2911-EGCAI01(config-subif)# crypto map CMAP-NLAMS02E CISCO2911-EGCAI01(config-subif)# ip flow ingress CISCO2911-EGCAI01(config-subif)# ip flow egress CISCO2911-EGCAI01(config-subif)# ip nat outside CISCO2911-EGCAI01(config-subif)# ip virtual-reassembly in CISCO2911-EGCAI01(config-subif)#exit CISCO2911-EGCAI01(config)#exit