Re: IPsec Configuration Cisco ASR920

Amos Kafwembe · ‎07-11-2018

Good day all,

I am trying to set up an IPsec VPN on my Cisco ASR920. I found a sample config on the cisco site but one thing I note is that there is no acl to identify interesting traffic in the configuration. how do I capture interesting traffic and send it via the IPsec tunnel with this sample config provided by Cisco?

https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/sec_vpn/sec-ipsec-xe-3s-book-920/overview_of_ipsec.html

Rob Ingram · ‎07-11-2018

Hi,

In this example you provided it uses a VTI (virtual tunnel interface) and does not require and ACL to define interesting traffic. To send encrypted traffic accross the VPN tunnel you just need to route the traffic, either a static route or using a routing protocol.

From the example in the link you provided:

ip route 192.168.20.0 255.255.255.0 tunnel504

Therefore 192.168.20.0/24 is the remote subnet which would be encrypted and routed over the VTI, obviously a return route needs to be applied on the other device.

HTH

Amos Kafwembe · ‎07-11-2018

Hi RJI,

Is this secure? also, do you have any sample config on achieving this without tunnel mode?

Rob Ingram · ‎07-11-2018

Hi,

Yes it is secure, it's still an IPSec VPN it just uses a VTI rather than a crypto map. I personally prefer using a VTI over a crypto map.

Example of Crypto Map on Cisco router

HTH