This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec IKE Tunnel to Cisco IOS Router

Can anybody share a working configuration for this? Ideally, Cisco IOS code snippet, XG Profile and IPsec VPN configuration.

Cant find anything on the internet and so far spent a couple of hours, so far unsuccessfully. I've set up plenty of Cisco to Cisco tunnels and I'm sure I can get this working eventually but I'd rather not reinvent the wheel.



This thread was automatically locked due to age.
  • Answering my own request as it may help someone else.

    This assumes some experience with setting up IPsec tunnels on Cisco equipment. There are plenty of online guides if you need more help with this. It was developed with an older Cisco router (IOS 15) so the encryption is competitively weak because of limitations in that release. It does however mean that it should work with any Cisco router. Once you have it up and running on a newer router you can modify it for stronger encryption as required.

    The tunnel is applied to the Cisco via a crypto map on the WAN interface. We prefer to do Cisco tunnels as a dedicated Tunnel interface but I couldn't get that to work (if anybody can help with this, please chime in).

    I haven't included it because it is site specific but after establishing the tunnel, you will need to remember to make sure you exclude the tunnel traffic from NAT (if applicable) and adjust MTU/MSS on the WAN interface to successfully pass traffic.

    IPs used in this example:
    Cisco LAN 192.168.1.1
    Cisco WAN 172.16.96.97
    XG LAN 172,16.16.16
    XG WAN 172.16.96.96

    Cisco code snippet:

    crypto isakmp policy 10
     encr 3des
     hash sha256
     authentication pre-share
     group 14crypto isakmp key q8M948cbfTCiAgLN address 172.16.96.96 no-xauth
    
    crypto ipsec security-association lifetime seconds 28800
    
    crypto ipsec transform-set sophos esp-3des esp-sha-hmac 
    
    crypto map XGVPNmap 10 ipsec-isakmp 
     description Tunnel to XG
     set peer 172.16.96.96
     set transform-set sophos 
     set pfs group14
     match address VPNTraffic
    
    interface FastEthernet0/0
     description LAN
     ip address 192.168.1.1 255.255.255.0
    
    interface FastEthernet0/1
     description WAN
     ip address 172.16.96.97 255.255.255.0
     crypto map XGVPNmap
    
    ip access-list extended VPNTraffic
     permit ip 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255

    XG IPsec Policy:

    XG IPsec VPN Settings:

    LAN and WAN definitions: