← Back To List

Create a Site-to-Site IPSec VPN with Cisco CSR 1000V


Network diagram

Once VPN tunnel is established, we can ping from our internal host to the host behind peer’s VPN Gateway.

IP InfoLeft side(us)Right side(peer)
VPN GW IP13.234.134.25154.194.6.72
Encryption Domain (VPN host or subnet) (NAT to (NAT to

IPSec parameters

Phase I Settings
Authentication MethodPre-Shared
Diffie-Helman Group2 (Mod1024)
Encryption AlgorithmAES256
Hash AlgorithmSHA-1
SA Timeout28800
Phase II Settings
EncapsulationESP (encrypted)
Perfect Forward Secrecy (PFS)NO PFS
Encryption AlgorithmAES256
Hash AlgorithmSHA-1
Lifetime (In Seconds)3600 (Default)

Cisco VPN Configuration

Phase 1:

Add a pre-shared key “test” for remote peer gateway IP

Create a new IKE policy with number 100, define the parameters as specified above in IPSec parameters.

ip-192-168-1-100#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ip-192-168-1-100(config)#crypto isakmp key test address
ip-192-168-1-100(config)#crypto isakmp policy 100
ip-192-168-1-100(config-isakmp)#encr 256-aes
ip-192-168-1-100(config-isakmp)#hash sha
ip-192-168-1-100(config-isakmp)#authentication pre-share
ip-192-168-1-100(config-isakmp)#group 2
ip-192-168-1-100(config-isakmp)#lifetime 28800

ip-192-168-1-100#show crypto isakmp policy

Global IKE policy
Protection suite of priority 100
	encryption algorithm:	AES - Advanced Encryption Standard (256 bit keys).
	hash algorithm:		Secure Hash Standard
	authentication method:	Pre-Shared Key
	Diffie-Hellman group:	#2 (1024 bit)
	lifetime:		28800 seconds, no volume limit

Phase 2

Defind phase 2 paramters

ip-192-168-1-100(config)#crypto ipsec transform-set vpn-sha1-aes256 esp-aes 256 esp-sha-hmac

ip-192-168-1-100(config)#crypto map testmap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
	and a valid access list have been configured.
ip-192-168-1-100(config-crypto-map)#set peer
ip-192-168-1-100(config-crypto-map)#set transform-set vpn-sha1-aes256
ip-192-168-1-100(config-crypto-map)#match address NET-R

Add access-list

The rule will allow all IP traffic between the two hosts.

ip-192-168-1-100(config)#ip access-list extended NET-R
ip-192-168-1-100(config-ext-nacl)#permit ip host host

Add crypto map on the external network interface

ip-192-168-1-100(config)#interface GigabitEthernet 1
ip-192-168-1-100(config-if)#crypto map testmap

ip-192-168-1-100#sho running-config interface GigabitEthernet 1
interface GigabitEthernet1
 ip address dhcp
 ip nat outside
 negotiation auto
 crypto map testmap

Configure NATing

When remote host sends traffic to the public IP of our host, Cisco router will translate the public IP to internal IP and routed to the internal host.

ip-192-168-1-100(config)#ip nat inside source static

Configure Routing on internal host

Our internal host will use Cisco router as default Gateway to route traffic to remote host.

/sbin/route add gw


  1. You must disable the source/dest check for the second Network Interface(subnet private) of Cisco Router.

    By default , the check is enabled, now we need to disable it.

2. If there is still problem, update security group of Cisco router to allow UDP port 500 and 4500.

Check VPN status

Phase 1 status:

ip-192-168-1-100#show crypto isakmp sa
dst             src             state          conn-id status   QM_IDLE           1001 ACTIVE

Phase2 status:

ip-192-168-1-100#show crypto ipsec sa peer
interface: GigabitEthernet1
    Crypto map tag: testmap, local addr

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
   current_peer port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 601, #pkts encrypt: 601, #pkts digest: 601
    #pkts decaps: 254, #pkts decrypt: 254, #pkts verify: 254
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.:, remote crypto endpt.:
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xF260702C(4066406444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xF8C0B0DD(4173377757)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004048, crypto map: testmap
         sa timing: remaining key lifetime (k/sec): (4607967/2951)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF260702C(4066406444)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004048, crypto map: testmap
         sa timing: remaining key lifetime (k/sec): (4607950/2951)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

note that we see “Status: ACTIVE” in “inbound esp sas” and “outbound esp sas“, which indicates IPSec tunnel is established.

Test from host

It’s time to make an end-to-end test, simply ping the remote host’s public IP, the remote network need to allow ICMP incoming.

root@ip-192-168-0-88:/tftp# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=62 time=127 ms
64 bytes from icmp_seq=2 ttl=62 time=124 ms
64 bytes from icmp_seq=3 ttl=62 time=128 ms
64 bytes from icmp_seq=4 ttl=62 time=127 ms
--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 123.633/126.206/127.685/1.534 ms

So we have successfully established site-to-site IPSec VPN tunnel between the two sites!

← Back To List