Solved: Re: C1111-8P IPSEC SITE TO SITE VPN

Netplace Support · ‎03-14-2019

Hi,

I'm planning to configure IPsec Site to Site VPN on C1111-8P Router. Is there anyone share configuration example need to do on router.

Mark Malone · ‎04-04-2019

Hi
how many are you planning on having ?
default is 50mb throughput upgrade able to 250 with a performance ipsec license so it goes on that rather than the actual amount of tunnels , the data sheets do not e give a count

Pay as you grow: IPsec performance upgrade model ●Router IPsec capacity canbe increased with a remote performance-on-demand license upgrade (no hardware upgrade) for exceptional savings and CapEx budget manageme

FL-VPERF-8P-200(=) FL-VPERF-4P-100(=) IPSec Performance (VPERF) IPsec Performance: Additional 100 Mbps for ISR 1100-4P and 200 Mbps for ISR 1100-8P. Not applicable on C1109-2PLTE models.

https://www.cisco.com/c/en/us/products/collateral/routers/1000-series-integrated-services-routers-isr/datasheet-c78-739512.pdf7

https://www.router-switch.com/pdf/c1111-8p-datasheet.pdf

https://www.google.com/search?q=Cisco+ISR+1000+Series-Platform+Spec&client=firefox-b-d&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjuyKGnobbhAhXOQxUIHeWvDZEQ_AUIDigB&biw=1704&bih=1036#imgrc=TD1aylxWcH473M:

View solution in original post

Georg Pauwen · ‎03-15-2019

Hello,

the C1111 has software parity with the ISR4K, so the below, generic SVTI site to site VPN sample config should work:

C1111_1

service timestamps debug datetime
service timestamps log datetime
hostname C1111_1
!
no aaa new-model
ip subnet-zero
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-aes esp-sha-hmac
crypto ipsec profile PF
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
load-interval 30
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection IPsec profile PF
!
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.252
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
!
ip classless
ip route 192.168.20.0 255.255.255.0 Tunnel0
!
line con 0
line aux 0
line vty 0 4

C1111_2

service timestamps debug datetime
service timestamps log datetime
hostname C1111_2
!
no aaa new-model
ip subnet-zero
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-aes esp-sha-hmac
crypto ipsec profile PF
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.0.0.2
tunnel destination 10.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PF
!
interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.252
!
interface Vlan1
ip address 192.168.20.1 255.255.255.0
!
ip classless
ip route 192.168.10.0 255.255.255.0 Tunnel0
!
line con 0
line aux 0
line vty 0 4

Netplace Support · ‎03-16-2019

Georg,

Thanks for reply, but could you put please more light on command

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

Can i use my router outside interface Public ip address instead of 0.0.0.0 0.0.0.0 in above command.

Also if there's any need to add ACL for internal ip subnet for both location to communicate.

Regards,

VIshal

Georg Pauwen · ‎03-16-2019

Hello,

--> crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

The 0.0.0.0 0.0.0.0 address would be used if your routers have dynamically assigned addresses, if you have static public IP addresses you can by all means use those.

With (S)VTI VPNs you don't need access lists anymore, you just use static routes pointing to the tunnel interface (as in the example).

If you need detailed support on how to set up your VPN, post the full configurations of both routers...

Netplace Support · ‎04-04-2019

Thanks Georg,

Could you please let me know How many IPSEC Site to Site VPN (Count) supports by C1111-8P Router

Regrads,

Vishal

Mark Malone · ‎04-04-2019

Hi
how many are you planning on having ?
default is 50mb throughput upgrade able to 250 with a performance ipsec license so it goes on that rather than the actual amount of tunnels , the data sheets do not e give a count

Pay as you grow: IPsec performance upgrade model ●Router IPsec capacity canbe increased with a remote performance-on-demand license upgrade (no hardware upgrade) for exceptional savings and CapEx budget manageme

FL-VPERF-8P-200(=) FL-VPERF-4P-100(=) IPSec Performance (VPERF) IPsec Performance: Additional 100 Mbps for ISR 1100-4P and 200 Mbps for ISR 1100-8P. Not applicable on C1109-2PLTE models.

https://www.cisco.com/c/en/us/products/collateral/routers/1000-series-integrated-services-routers-isr/datasheet-c78-739512.pdf7

https://www.router-switch.com/pdf/c1111-8p-datasheet.pdf

https://www.google.com/search?q=Cisco+ISR+1000+Series-Platform+Spec&client=firefox-b-d&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjuyKGnobbhAhXOQxUIHeWvDZEQ_AUIDigB&biw=1704&bih=1036#imgrc=TD1aylxWcH473M: