03-14-2019 11:25 PM
Hi,
I'm planning to configure IPsec Site to Site VPN on C1111-8P Router. Is there anyone share configuration example need to do on router.
Solved! Go to Solution.
04-04-2019 03:48 AM
03-15-2019 01:23 AM
Hello,
the C1111 has software parity with the ISR4K, so the below, generic SVTI site to site VPN sample config should work:
C1111_1
service timestamps debug datetime
service timestamps log datetime
hostname C1111_1
!
no aaa new-model
ip subnet-zero
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-aes esp-sha-hmac
crypto ipsec profile PF
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
load-interval 30
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection IPsec profile PF
!
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.252
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
!
ip classless
ip route 192.168.20.0 255.255.255.0 Tunnel0
!
line con 0
line aux 0
line vty 0 4
C1111_2
service timestamps debug datetime
service timestamps log datetime
hostname C1111_2
!
no aaa new-model
ip subnet-zero
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-aes esp-sha-hmac
crypto ipsec profile PF
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.0.0.2
tunnel destination 10.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PF
!
interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.252
!
interface Vlan1
ip address 192.168.20.1 255.255.255.0
!
ip classless
ip route 192.168.10.0 255.255.255.0 Tunnel0
!
line con 0
line aux 0
line vty 0 4
03-16-2019 12:35 AM
Georg,
Thanks for reply, but could you put please more light on command
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
Can i use my router outside interface Public ip address instead of 0.0.0.0 0.0.0.0 in above command.
Also if there's any need to add ACL for internal ip subnet for both location to communicate.
Regards,
VIshal
03-16-2019 12:54 AM
Hello,
--> crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
The 0.0.0.0 0.0.0.0 address would be used if your routers have dynamically assigned addresses, if you have static public IP addresses you can by all means use those.
With (S)VTI VPNs you don't need access lists anymore, you just use static routes pointing to the tunnel interface (as in the example).
If you need detailed support on how to set up your VPN, post the full configurations of both routers...
04-04-2019 03:16 AM
Thanks Georg,
Could you please let me know How many IPSEC Site to Site VPN (Count) supports by C1111-8P Router
Regrads,
Vishal
04-04-2019 03:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide