cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1031
Views
5
Helpful
4
Replies

IPSec VPN between Cisco ISR 1117-4PW & ASA 5505

joelburrell
Level 1
Level 1

So, this is just a quick call for help. I am trying to understand how to implement network to network tunnel between a new ISR1117 and ASA 5505. We have previously been using 800 series ISRs and the ipsec vpn config is very straight forward. I assumed it would be similarly supported by the 1100 series but I have done a lot of googling and reading 1100 series support documents and am just confused.

 

Are standard ipsec tunnels supported by the 1117? Can anyone point me to a configuration guide for the 1117 for basic IPSec tunnel configuration? Is it covered by what is now called flexvpn?

 

even trying to follow command branches in the CLI on the 1117 I cannot seem to find relevant configuration options.

 

The nearest I can find is tunnel interfaces that support IPSec configuration, but do they support what I understand are considered legacy IPSec tunnel configuration with a pre-shared key?

 

any assistance very much appreciated as I am currently stuck.

 

 

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Joel,

you may be facing a licensing issue. All new products use the licensing model.

 

According to ISR 1100 ordering guide you would need IPSEC license for full use of IPSec tunnels

 

see

Four major technology licenses are available on the 1000 Series; these licenses can be activated through the Cisco software activation process described at https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-software-activation/index.html. The following licenses are available:

   IP Base: This technology package is the default.

   Application Experience (APP): This license includes data and application performance features.

   Security (SEC) or Security with No Payload Encryption (SEC-NPE): This license includes features for securing network infrastructure.

   IP Security (IPSEC): This license includes features that improve IP security performance multifold. HSEC is an enforced performance license.

I think the last one is needed for full IPSEC VPN capacity because the previous says with no payload encryption that is what we want when building an IPSEC tunnel.

on

https://www.cisco.com/c/en/us/products/collateral/routers/1000-series-integrated-services-routers-isr/guide-c07-740009.html

 

You can check your current licenses with

show licenses all

 

Hope to help

Giuseppe

 

View solution in original post

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Joel,

you may be facing a licensing issue. All new products use the licensing model.

 

According to ISR 1100 ordering guide you would need IPSEC license for full use of IPSec tunnels

 

see

Four major technology licenses are available on the 1000 Series; these licenses can be activated through the Cisco software activation process described at https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-software-activation/index.html. The following licenses are available:

   IP Base: This technology package is the default.

   Application Experience (APP): This license includes data and application performance features.

   Security (SEC) or Security with No Payload Encryption (SEC-NPE): This license includes features for securing network infrastructure.

   IP Security (IPSEC): This license includes features that improve IP security performance multifold. HSEC is an enforced performance license.

I think the last one is needed for full IPSEC VPN capacity because the previous says with no payload encryption that is what we want when building an IPSEC tunnel.

on

https://www.cisco.com/c/en/us/products/collateral/routers/1000-series-integrated-services-routers-isr/guide-c07-740009.html

 

You can check your current licenses with

show licenses all

 

Hope to help

Giuseppe

 

This would seem to be my issue. How tedious.

 

Thanks for the heads up so I can stop wasting my time.

Hello,

 

what kind of IPSec VPN do you want to configure exactly ? Below is the Everest 16.6 guide for VTIs:

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16-6/sec-sec-for-vpns-w-ipsec-xe-16-6-book/sec-ipsec-virt-tunnl.html

a simple network to network ipsec vpn tunnel. As an example, in that configuration guide you have linked, "Crypto ipsec" is referenced multiple times.

 

My 1117 is running 16.9 and does not have this configuration option at all.

 

This is the output I get from "crypto ?"

(config)#crypto ?
RSA-key-pair RSA key pair
ca Certification authority
key Long term key operations
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces

 

Under this link

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16-9/sec-sec-for-vpns-w-ipsec-xe-16-9-book/sec-cfg-vpn-ipsec.html

 

for Fuji 16.9 it refers to configuration option "crypto IKEv2" this is an unknown command on my ISR 1117.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: