Cisco ASR L2L VPN configuration (BETA)

Cisco ASR L2L VPN Configuration (BETA) - This Template is for the configuration of a L2L IPSec VPN Tunnel on a Cisco ASR

jsmith
July 29, 2014
Pre Shared Key

Remote Peer IP Address


Name of the VPN Customer

eg. 192.168.10.0




In the format 10.5.5 eg. leave off the last octet



// ASR L2L VPN Peer Template v0.2 - 1 x Remote /24 Network, 1 x Local /24 Network

// %{Change_Number}% - %{Cust_Name}% VPN

Remote Peer IP: 		%{Remote_Peer_IP_Address}%
Remote Network: 		%{Remote_Network_24}% /24
Local Networks: 		%{Local_Network_24}% /24
VLAN Number: 			%{Cust_VLAN}%
Hosted Subnet:			%{Hosted_Subnet}%
PSK: 				%{PSK}%
Cryptomap Number:		%{Cryptomap_Number}%
Cryptomap ACL Number:		%{Cryptomap_ACL_Number}%


!=== ## ASR VPN Configuration ## ===!

!// ASR1

ip vrf %{Cust_Name}%
 rd %{Local_Network_24}%:1
 route-target export %{Local_Network_24}%.0:1
 route-target import %{Local_Network_24}%.0:1

interface GigabitEthernet0/0/0.%{Cust_VLAN}%
 description %{Cust_Name}%
 encapsulation dot1Q %{Cust_VLAN}%
 ip vrf forwarding %{Cust_Name}%
 ip address %{Hosted_Subnet}%.5 255.255.255.0
 standby 0 ip %{Hosted_Subnet}%.4
 standby 0 priority 110
 standby 0 preempt delay minimum 180
 standby 0 name %{Cust_Name}%
 standby 0 track 208 decrement 40

interface GigabitEthernet0/0/1.%{Cust_VLAN}%
 ip vrf forwarding %{Cust_Name}%

crypto keyring %{VPN_Name}%  
  pre-shared-key address %{Remote_Peer_IP_Address}% key %{PSK}%
  
crypto isakmp profile %{VPN_Name}%
   vrf %{Cust_Name}%
   keyring %{VPN_Name}%
   match identity address %{Remote_Peer_IP_Address}% 255.255.255.255 
   keepalive 10 retry 2

access-list %{Cryptomap_ACL_Number}% permit ip %{Local_Network_24}% 0.0.0.255 %{Remote_Network_24}% 0.0.0.255
   
crypto map cryptomap_hosted %{Cryptomap_Number}% ipsec-isakmp 
 description %{VPN_Name}% VPN
 set peer %{Remote_Peer_IP_Address}%
 set security-association idle-time 86400
 set transform-set ESP-3DES-MD5 
 set isakmp-profile %{VPN_Name}%
 match address %{Cryptomap_ACL_Number}%
 reverse-route

!// ASR2

ip vrf %{Cust_Name}%
 rd %{Local_Network_24}%:1
 route-target export %{Local_Network_24}%:1
 route-target import %{Local_Network_24}%:1

interface GigabitEthernet0/0/0.%{Cust_VLAN}%
 description %{Cust_Name}%
 encapsulation dot1Q %{Cust_VLAN}%
 ip vrf forwarding %{Cust_Name}%
 ip address %{Hosted_Subnet}%.6 255.255.255.0
 standby 0 ip %{Hosted_Subnet}%.4
 standby 0 name %{Cust_Name}%
 standby 0 track 208 decrement 40

interface GigabitEthernet0/0/1.%{Cust_VLAN}%
 ip vrf forwarding %{Cust_Name}%

crypto keyring %{VPN_Name}%  
  pre-shared-key address %{Remote_Peer_IP_Address}% key %{PSK}%
  
crypto isakmp profile %{VPN_Name}%
   vrf %{Cust_Name}%
   keyring %{VPN_Name}%
   match identity address %{Remote_Peer_IP_Address}% 255.255.255.255 
   keepalive 10 retry 2

access-list %{Cryptomap_ACL_Number}% permit ip %{Local_Network_24}% 0.0.0.255 %{Remote_Network_24}% 0.0.0.255
   
crypto map cryptomap_hosted %{Cryptomap_Number}% ipsec-isakmp 
 description %{VPN_Name}% VPN
 set peer %{Remote_Peer_IP_Address}%
 set security-association idle-time 86400
 set transform-set ESP-3DES-MD5 
 set isakmp-profile %{VPN_Name}%
 match address %{Cryptomap_ACL_Number}%
 reverse-route