Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
0
Replies

IPSEC VTI over MPLS

networkoperations3
Level 1
Level 1

‎02-14-2020 07:11 AM

We are currently using IPsec VTI on our WAN links with our current service provider. However, we have to change service providers due to some reasons. The first test we did with the new service provider who uses MPLS was not successful. Could it be that IPsec VTI does not work with MPLS? We will appreciate your assistance, please have a look at sample config below

...........................
ROUTER - HO
...............................
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key .... address 10.1.1.10
crypto ipsec security-association replay window-size
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_TO_Branch
set transform-set ESP-3DES-SHA
!
crypto map MainWAN 12 ipsec-isakmp
description VPN_TO_Branch
set peer 10.1.1.10
set transform-set ESP-3DES-SHA
match address 104
!
interface Tunnel0
description Link to Branch
ip address 192.168.1.9 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.1.1.10
tunnel protection ipsec profile VPN_TO_Branch
!
!
interface GigabitEthernet0/0/0
description Service Provider Facing Interface
ip address 10.1.1.9 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
!
.............................
ROUTER - Branch
...............................
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key .... address 10.1.1.9
!
crypto ipsec security-association replay window-size
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_TO_HO
set transform-set ESP-3DES-SHA
!
crypto map MainWAN 10 ipsec-isakmp
description VPN_TO_HO
set peer 10.1.1.9
set security-association lifetime seconds 10800
set transform-set ESP-3DES-SHA
match address SDM_3
!
interface Tunnel0
description Service Provider Link to HO
ip address 192.168.1.10 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.1.1.9
tunnel protection ipsec profile VPN_TO_HO
!
interface GigabitEthernet0/0/0
description Service Provider Facing Interface
ip address 10.1.1.10 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card