{"id":1372,"date":"2020-12-25T23:36:04","date_gmt":"2020-12-25T16:36:04","guid":{"rendered":"https:\/\/lagonet.vn\/?p=1349"},"modified":"2020-12-25T23:36:04","modified_gmt":"2020-12-25T16:36:04","slug":"edgerouter-site-to-site-ipsec-vpn-to-cisco-isr","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=1372","title":{"rendered":"EdgeRouter &#8211; Site-to-Site IPsec VPN to Cisco ISR"},"content":{"rendered":"<header class=\"article__header\">\n<h1 class=\"article__body--header\">EdgeRouter &#8211; Site-to-Site IPsec VPN to Cisco ISR<\/h1>\n<\/header>\n<div class=\"article-body markdown\">\n<p><a name=\"top\"><\/a><\/p>\n<h1 class=\"article__body--header\">Overview<\/h1>\n<p>Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an EdgeRouter and a Cisco ISR.<\/p>\n<div class=\"article-notice-box box--green\">\n<div id=\"note-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>NOTES &amp; REQUIREMENTS:<\/strong><\/span><\/div>\n<div class=\"node--body\">Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the\u00a0<a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115010852988-EdgeRouter-Site-to-Site-IPsec-VPN-to-Cisco-ISR#3\" target=\"_self\" rel=\"noopener\">Related Articles<\/a>\u00a0below for more information.<\/div>\n<div class=\"node--body\"><\/div>\n<div class=\"node--body\">Devices used in this article:<\/div>\n<div class=\"node--body\">\n<div class=\"node--body\">\n<ul>\n<li><a href=\"https:\/\/www.ui.com\/edgemax\/edgerouter-4\/\" target=\"_blank\" rel=\"noopener\">EdgeRouter 4 (ER-4)<\/a><\/li>\n<li>Cisco ISR<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h2 class=\"article__body--header\">Table of Contents<\/h2>\n<ol>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115010852988-EdgeRouter-Site-to-Site-IPsec-VPN-to-Cisco-ISR#1\" target=\"_self\" rel=\"noopener\">Frequently Asked Questions (FAQ)<\/a><\/li>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115010852988-EdgeRouter-Site-to-Site-IPsec-VPN-to-Cisco-ISR#2\" target=\"_self\" rel=\"noopener\">Setting up a Policy-Based VPN<\/a><\/li>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115010852988-EdgeRouter-Site-to-Site-IPsec-VPN-to-Cisco-ISR#3\" target=\"_self\" rel=\"noopener\">Related Articles<\/a><\/li>\n<\/ol>\n<p><a name=\"1\"><\/a><\/p>\n<h2 class=\"article__body--header\">FAQ<\/h2>\n<div class=\"table-wrapper-outer\">\n<div class=\"table-wrapper\">\n<table class=\"faq-table\">\n<tbody>\n<tr>\n<td>\n<div class=\"faq--header\">1. What Site-to-Site IPsec VPN types can be configured on EdgeOS?<\/div>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<div class=\"faq--header\">2. What are the available encryption and hashing options for IKE and ESP?<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><a name=\"2\"><\/a><\/p>\n<h2 class=\"article__body--header\">Setting up a Policy-Based VPN<\/h2>\n<p>&nbsp;<\/p>\n<p class=\"wysiwyg-text-align-center\"><img decoding=\"async\" class=\"dont-touch\" src=\"https:\/\/help.ui.com\/hc\/article_attachments\/360033075714\/topology.png\" alt=\"topology.png\" \/><\/p>\n<p class=\"wysiwyg-text-align-center\"><em>The 192.168.1.0\/24 and 172.16.1.0\/24 networks will be allowed to communicate with each other over the VPN.<\/em><\/p>\n<div class=\"article-notice-box box--dark-gray\">\n<div id=\"cli-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>CLI:<\/strong>\u00a0Access the Command Line Interface on the EdgeRouter.<\/span><\/div>\n<\/div>\n<\/div>\n<p>1. Enter configuration mode.<\/p>\n<pre>configure<\/pre>\n<p>2. Enable the\u00a0<strong>auto-firewall-nat-exclude\u00a0<\/strong>feature.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec auto-firewall-nat-exclude enable<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>3. Create the IKE \/ Phase 1 (P1) Security Associations (SAs).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec ike-group FOO0 lifetime 28800\nset vpn ipsec ike-group FOO0 proposal 1 dh-group 14\nset vpn ipsec ike-group FOO0 proposal 1 encryption aes128\nset vpn ipsec ike-group FOO0 proposal 1 hash sha1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>4. Create the ESP \/ Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec esp-group FOO0 lifetime 3600\nset vpn ipsec esp-group FOO0 pfs disable\nset vpn ipsec esp-group FOO0 proposal 1 encryption aes128\nset vpn ipsec esp-group FOO0 proposal 1 hash sha1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>5. Define the remote peering address (replace\u00a0<strong>&lt;secret&gt;<\/strong>\u00a0with your desired passphrase).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret\nset vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret &lt;secret&gt;\nset vpn ipsec site-to-site peer 192.0.2.1 description ipsec\nset vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>6. Link the SAs created above to the remote peer and define the\u00a0<strong>local<\/strong>\u00a0and\u00a0<strong>remote<\/strong>\u00a0subnets.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0\nset vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0\nset vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 192.168.1.0\/24\nset vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0\/24<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>7. Commit the changes and save the configuration.<\/p>\n<pre>commit ; save<\/pre>\n<div class=\"article-notice-box box--dark-gray\">\n<div id=\"cli-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>CLI:<\/strong>\u00a0Access the Command Line Interface on the Cisco ISR.<br \/>\n<\/span><\/div>\n<\/div>\n<\/div>\n<p>1. Enter configuration mode.<\/p>\n<pre>configure terminal<\/pre>\n<p>2. Create an IKE policy.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">crypto isakmp policy 100\n authentication pre-share\n encryption aes 128\n hash sha\n group 14\n lifetime 28800<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>3. Configure a Transform Set\u00a0for IPsec.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">crypto ipsec transform-set ipsec-ts esp-aes 128 esp-sha-hmac<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>4. Define the peer address (replace\u00a0<strong>&lt;secret&gt;<\/strong>\u00a0with your desired passphrase).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">crypto isakmp key &lt;secret&gt; address 203.0.113.1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>5. Create an Access List that defines the\u00a0<strong>remote<\/strong>\u00a0and\u00a0<strong>local<\/strong>\u00a0subnets.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">ip access-list extended ipsec-acl\n permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>6. Create a crypto map and link it to the previously created\u00a0<strong>transform-set<\/strong>\u00a0and\u00a0<strong>access-list<\/strong>.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">crypto map ipsec-cm 100 ipsec-isakmp\n set peer 203.0.113.1\n set transform-set ipsec-ts\n match address ipsec-acl\n set security-association lifetime seconds 3600<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>7. Assign the crypto map to the WAN interface.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">interface gi0\/0\n crypto map ipsec-cm<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>8. Exclude the IPsec traffic from being translated by NAT.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">ip access-list extended nat-acl\n deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255\n permit ip 172.16.1.0 0.0.0.255 any\n\nip nat inside source list nat-acl interface gi0\/0 overload<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>9.\u00a0Write the changes to the startup configuration.<\/p>\n<pre>copy running-config startup-config<\/pre>\n<p><a name=\"3\"><\/a><\/p>\n<h2 class=\"article__body--header\">Related Articles<\/h2>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011058387\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Site-to-Site IPsec VPN to Cisco ASA<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115012831287\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Policy-Based Site-to-Site IPsec VPN<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/218850057\" target=\"_blank\" rel=\"noopener\">Intro to Networking &#8211; How to Establish a Connection Using SSH<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>EdgeRouter &#8211; Site-to-Site IPsec VPN to Cisco ISR Overview Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[16,2,6,12],"tags":[],"class_list":["post-1372","post","type-post","status-publish","format-standard","hentry","category-courses","category-kien-thuc","category-networking","category-vpn"],"_links":{"self":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1372"}],"version-history":[{"count":0,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1372\/revisions"}],"wp:attachment":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}