Both the firewall and the ISR are directly connected to the Internet.

The firewall has a simple Ethernet connection to the Internet, while the ISR has an LTE connection to the Internet. The cellular slot has a SIM card on a public APN.

I attempted to build a config for VRF-aware IPSec, but I've not found enough documentation to suggest it is a viable solution, especially when the LTE interface is assigned a private address by the carrier. The other issue is we have at least two VRFs on the ISR which cannot be combined to one IVRF due to a security limitation.

Hello,

I guess my question was how the ISR and the firewall are connected.

Either way, if the ISR is behind a NAT device (your provider's device), you need to configure NAT Traversal on the ISR by forwaring UDP 4500.

Post the full running configuration of the ISR...

Isn't NAT-T enabled by default?

The two devices are connected by the Internet. Nothing in between.

I ran into an issue of using crypto maps on tunnels (new requirement after v15 or so), hence the reply edit. I believe I've overcome that issue.

Configs below. Note two VRFs for the two LANs.

version 16.8
!
ip vrf LAN1
!
ip vrf LAN2
!
!
!
!
!
!
controller Cellular 0/2/0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery disable
!
!
!
!
!
crypto isakmp policy 111
encr aes 256
authentication pre-share
group 2
lifetime 1440
crypto isakmp key xxxxxxxxxxxxx address 1.1.1.1
!
!
crypto ipsec transform-set ipsec-set esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set ipsec-set
!
!
!
!
interface Loopback1
ip vrf forwarding LAN1
ip address 172.16.1.1 255.255.255.255
!
interface Loopback2
ip vrf forwarding LAN2
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel1
ip vrf forwarding LAN1
ip address 10.1.1.1 255.255.255.252
ip access-group LAN1-ACL in
tunnel source Cellular0/2/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile VTI shared
!
interface Tunnel2
ip vrf forwarding LAN2
ip address 10.1.2.1 255.255.255.252
ip access-group LAN2-ACL in
tunnel source Cellular0/2/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile VTI shared
!
interface Cellular0/2/0
no ip address
dialer in-band
dialer idle-timeout 0
dialer-group 1
ipv6 enable
pulse-time 1
!
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip route vrf LAN1 0.0.0.0 0.0.0.0 Tunnel1
ip route vrf LAN2 0.0.0.0 0.0.0.0 Tunnel2
!
!
ip access-list extended LAN1-ACL
permit ip host 1.1.1.1 any
ip access-list extended LAN2-ACL
permit ip host 1.1.1.1 any
!
dialer-list 1 protocol ip permit
!

Hello Georg. Have you had a moment to take a look at the config at all?

Hello,

the config looks good as far as I can tell, but I am still not clear on what your topology looks like. Is it:

Router --> Firewall --> Internet

>

Site A: C1111 Router > Internet

Site B: Firewall > Internet

I aim to connect both sites via Internet over IPSec and/or GRE.

Site A uses its LTE interface to connect to the Internet, and the LTE carrier assigns a dynamic private IP to the LTE interface.

Site B has a public address on a direct Ethernet connection to the Internet.