05-18-2019 01:36 AM
So, this is just a quick call for help. I am trying to understand how to implement network to network tunnel between a new ISR1117 and ASA 5505. We have previously been using 800 series ISRs and the ipsec vpn config is very straight forward. I assumed it would be similarly supported by the 1100 series but I have done a lot of googling and reading 1100 series support documents and am just confused.
Are standard ipsec tunnels supported by the 1117? Can anyone point me to a configuration guide for the 1117 for basic IPSec tunnel configuration? Is it covered by what is now called flexvpn?
even trying to follow command branches in the CLI on the 1117 I cannot seem to find relevant configuration options.
The nearest I can find is tunnel interfaces that support IPSec configuration, but do they support what I understand are considered legacy IPSec tunnel configuration with a pre-shared key?
any assistance very much appreciated as I am currently stuck.
Solved! Go to Solution.
05-18-2019 01:53 AM - edited 05-18-2019 01:55 AM
Hello Joel,
you may be facing a licensing issue. All new products use the licensing model.
According to ISR 1100 ordering guide you would need IPSEC license for full use of IPSec tunnels
see
Four major technology licenses are available on the 1000 Series; these licenses can be activated through the Cisco software activation process described at https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-software-activation/index.html. The following licenses are available:
● IP Base: This technology package is the default.
● Application Experience (APP): This license includes data and application performance features.
● Security (SEC) or Security with No Payload Encryption (SEC-NPE): This license includes features for securing network infrastructure.
● IP Security (IPSEC): This license includes features that improve IP security performance multifold. HSEC is an enforced performance license.
I think the last one is needed for full IPSEC VPN capacity because the previous says with no payload encryption that is what we want when building an IPSEC tunnel.
on
You can check your current licenses with
show licenses all
Hope to help
Giuseppe
05-18-2019 01:53 AM - edited 05-18-2019 01:55 AM
Hello Joel,
you may be facing a licensing issue. All new products use the licensing model.
According to ISR 1100 ordering guide you would need IPSEC license for full use of IPSec tunnels
see
Four major technology licenses are available on the 1000 Series; these licenses can be activated through the Cisco software activation process described at https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-software-activation/index.html. The following licenses are available:
● IP Base: This technology package is the default.
● Application Experience (APP): This license includes data and application performance features.
● Security (SEC) or Security with No Payload Encryption (SEC-NPE): This license includes features for securing network infrastructure.
● IP Security (IPSEC): This license includes features that improve IP security performance multifold. HSEC is an enforced performance license.
I think the last one is needed for full IPSEC VPN capacity because the previous says with no payload encryption that is what we want when building an IPSEC tunnel.
on
You can check your current licenses with
show licenses all
Hope to help
Giuseppe
05-18-2019 02:32 AM
This would seem to be my issue. How tedious.
Thanks for the heads up so I can stop wasting my time.
05-18-2019 02:03 AM
Hello,
what kind of IPSec VPN do you want to configure exactly ? Below is the Everest 16.6 guide for VTIs:
05-18-2019 02:28 AM
a simple network to network ipsec vpn tunnel. As an example, in that configuration guide you have linked, "Crypto ipsec" is referenced multiple times.
My 1117 is running 16.9 and does not have this configuration option at all.
This is the output I get from "crypto ?"
(config)#crypto ?
RSA-key-pair RSA key pair
ca Certification authority
key Long term key operations
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces
Under this link
for Fuji 16.9 it refers to configuration option "crypto IKEv2" this is an unknown command on my ISR 1117.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide