SITE-to-SITE FlexVPN

SITE-to-SITE FlexVPN
Tunnels нет
deny NAT from interested ACL

<HQ>
<ISAKMP>
<proposal default>
default
</proposal default>
<ikev2 policy>
default
</ikev2 policy>
</ISAKMP>
<IPSEC>
    <TS: default>
default
    </TS: default>
    <ikev2 profile P_SPOKEXX>
crypt ikev2 profile P_SPOKEXX
match identity remote address 0.0.0.0
authentication local pre-share key CISCO
authentication remote pre-share key CISCO
    </ikev2 profile P_SPOKEXX>
    <ikev2 DPD>
crypt ikev2 dpd 10 3 on-demand
    </ikev2 DPD>
    <ACL INSIDE>
IP access-list ext INSIDE
10 deny ip 192.169.1.0 0.0.0.255 192.168.1.0 0.0.0.255
20 deny ip 192.169.2.0 0.0.0.255 192.168.1.0 0.0.0.255
30 deny ip 192.169.3.0 0.0.0.255 192.168.1.0 0.0.0.255
40 deny ip 192.169.4.0 0.0.0.255 192.168.1.0 0.0.0.255
50 deny ip 192.169.1.0 0.0.0.255 192.168.2.0 0.0.0.255
60 deny ip 192.169.2.0 0.0.0.255 192.168.2.0 0.0.0.255
70 deny ip 192.169.3.0 0.0.0.255 192.168.2.0 0.0.0.255
80 deny ip 192.169.4.0 0.0.0.255 192.168.2.0 0.0.0.255
90 deny ip 192.169.1.0 0.0.0.255 192.168.3.0 0.0.0.255
100 deny ip 192.169.2.0 0.0.0.255 192.168.3.0 0.0.0.255
110 deny ip 192.169.3.0 0.0.0.255 192.168.3.0 0.0.0.255
120 deny ip 192.169.4.0 0.0.0.255 192.168.3.0 0.0.0.255
130 deny ip 192.169.1.0 0.0.0.255 192.168.4.0 0.0.0.255
140 deny ip 192.169.2.0 0.0.0.255 192.168.4.0 0.0.0.255
150 deny ip 192.169.3.0 0.0.0.255 192.168.4.0 0.0.0.255
160 deny ip 192.169.4.0 0.0.0.255 192.168.4.0 0.0.0.255
200 permit ip 192.169.1.0 0.0.0.255 any
210 permit ip 192.169.2.0 0.0.0.255 any
220 permit ip 192.169.3.0 0.0.0.255 any
230 permit ip 192.169.4.0 0.0.0.255 any
240 permit icmp 192.169.1.0 0.0.0.255 any
250 permit icmp 192.169.2.0 0.0.0.255 any
260 permit icmp 192.169.3.0 0.0.0.255 any
270 permit icmp 192.169.4.0 0.0.0.255 any
    </ACL INSIDE>
    <ACL VPN-TRAFFIC>
ip access-list extended HQ2SPOKE-I
permit ip 192.169.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.169.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.169.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.169.2.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.169.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.169.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.169.1.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.169.2.0 0.0.0.255 192.168.4.0 0.0.0.255

ip access-list extended HQ2SPOKE-II
permit ip 192.169.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.169.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.169.3.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.169.4.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.169.3.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.169.4.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.169.3.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.169.4.0 0.0.0.255 192.168.4.0 0.0.0.255
    </ACL VPN-TRAFFIC>
    <Crypto MAP CM_SPOKEXX>
crypto map CM_SPOKEXX 10 ipsec-isakmp
set peer 10.0.1.2
set peer 10.1.1.2
set ikev2-profile P_SPOKEXX
match address HQ2SPOKE-I
crypto map CM_SPOKEXX 20 ipsec-isakmp
set peer 10.0.1.2
set peer 10.1.1.2
set ikev2-profile P_SPOKEXX
match address HQ2SPOKE-II
    </Crypto MAP CM_SPOKEXX>
</IPSEC>
<IF OUT+CM>
int gi 0/0
 crypto map CM_SPOKEXX
</IF OUT+CM>
</HQ>

<SPOKE-I>
<ISAKMP>
<proposal default>
default
</proposal default>
<ikev2 policy>
default
</ikev2 policy>
</ISAKMP>
<IPSEC>
    <TS: default>
default
    </TS: default>
    <ikev2 profile P_HQ>
crypt ikev2 profile P_HQ
match identity remote address 0.0.0.0
authentication local pre-share key CISCO
authentication remote pre-share key CISCO
    </ikev2 profile P_HQ>
    <ACL INSIDE>
IP access-list Extended INSIDE
deny ip 192.168.1.0 0.0.0.255 192.169.1.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.169.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.169.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.169.2.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.169.3.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.169.3.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.169.4.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.169.4.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit icmp 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit icmp 192.168.2.0 0.0.0.255 any
    </ACL INSIDE>
    <ACL SPOKE-I2HQ>
ip access-list extended SPOKE-I2HQ
permit ip 192.168.1.0 0.0.0.255 192.169.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.169.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.169.2.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.169.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.169.3.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.169.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.169.4.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.169.4.0 0.0.0.255
    </ACL SPOKE-I2HQ>
    <Crypto MAP CM_HQ>
crypto map CM_HQ 10 ipsec-isakmp
set peer 10.2.1.2
set ikev2-profile P_HQ
match address SPOKE-I2HQ
    </Crypto MAP CM_HQ>
</IPSEC>
<IF OUT+CM>
int gi 0/0
 crypto map CM_HQ
</IF OUT+CM>
</HQ>

<SPOKE-II>
<ISAKMP>
<proposal default>
default
</proposal default>
<ikev2 policy>
default
</ikev2 policy>
</ISAKMP>
<IPSEC>
    <TS: default>
default
    </TS: default>
    <ikev2 profile P_HQ>
crypt ikev2 profile P_HQ
match identity remote address 0.0.0.0
authentication local pre-share key CISCO
authentication remote pre-share key CISCO
    </ikev2 profile P_HQ>
    <ACL INSIDE>
IP access-list Extended INSIDE
deny ip 192.168.3.0 0.0.0.255 192.169.1.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.169.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.169.2.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.169.2.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.169.3.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.169.3.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.169.4.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.169.4.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any
permit icmp 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit icmp 192.168.4.0 0.0.0.255 any
    </ACL INSIDE>
    <ACL SPOKE-II2HQ>
ip access-list extended SPOKE-II2HQ
permit ip 192.168.3.0 0.0.0.255 192.169.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.169.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.169.2.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.169.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.169.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.169.3.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.169.4.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.169.4.0 0.0.0.255
    </ACL SPOKE-II2HQ>
    <Crypto MAP CM_HQ>
crypto map CM_HQ 20 ipsec-isakmp
set peer 10.2.1.2
set ikev2-profile P_HQ
match address SPOKE-II2HQ
    </Crypto MAP CM_HQ>
</IPSEC>
<IF OUT+CM>
int gi 0/0
 crypto map CM_HQ
</IF OUT+CM>
</HQ>

SITE-to-SITE VPN
Tunnels нет
deny NAT from interested ACL


<HQ>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
 encr 3des
 hash md5
 auth pre-share
 group 5
 lifetime 86400
</isakmp pol1>
<PSK>
0.0.0.0 ???
cry isakmp key CISCO address 10.0.1.2
cry isakmp key CISCO address 10.1.1.2
</PSK>
</ISAKMP>
<IPSEC>
    <ACL INSIDE>
IP access-list ext INSIDE
deny ip 192.169.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (50 matches)
deny ip 192.169.3.0 0.0.0.255 192.168.3.0 0.0.0.255 (60 matches)
permit ip 192.169.1.0 0.0.0.255 any (1 match)
permit ip 192.169.2.0 0.0.0.255 any (2 matches)
permit ip 192.169.3.0 0.0.0.255 any (2 matches)
permit ip 192.169.4.0 0.0.0.255 any (1 match)
permit icmp 192.169.1.0 0.0.0.255 any
permit icmp 192.169.2.0 0.0.0.255 any
permit icmp 192.169.3.0 0.0.0.255 any
permit icmp 192.169.4.0 0.0.0.255 any
    </ACL INSIDE>
    <ACL VPN-TRAFFIC>
ip access-list extended VPN-TRAFFIC
permit ip 192.169.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.169.3.0 0.0.0.255 192.168.3.0 0.0.0.255
    </ACL VPN-TRAFFIC>
    <TS: TS-SPOKEXX>
crypto ipsec transform-set TS-SPOKEXX esp-3des esp-md5-hmac
    </TS: TS-SPOKEXX>
    <Crypto MAP CM_SPOKEXX>
crypto map CM_SPOKEXX 10 ipsec-isakmp
set peer 10.0.1.2
set peer 10.1.1.2
set transform-set TS-SPOKEXX
match address VPN-TRAFFIC
    </Crypto MAP CM_SPOKEXX>
</IPSEC>
<IF OUT+CM>
int gi 0/0
 crypto map CMAP CM_SPOKEXX
</IF OUT+CM>
</HQ>

<SPOKE-I>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
 encr 3des
 hash md5
 auth pre-share
 group 5
 lifetime 86400
</isakmp pol1>
<PSK>
cry isakmp key CISCO address 10.2.1.2
</PSK>
</ISAKMP>
<IPSEC>
    <ACL INSIDE>
Extended IP access list INSIDE
deny ip 192.168.1.0 0.0.0.255 192.169.1.0 0.0.0.255 (26 matches)
permit ip 192.168.1.0 0.0.0.255 any
permit icmp 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit icmp 192.168.2.0 0.0.0.255 any
    </ACL INSIDE>
    <ACL VPN-TRAFFIC>
ip access-list extended VPN-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 192.169.1.0 0.0.0.255
    </ACL VPN-TRAFFIC>
    <TS: TS-HQ>
crypto ipsec transform-set TS-HQ esp-3des esp-md5-hmac
    </TS: TS-HQ>
    <Crypto MAP CM_HQ>
crypto map CM_HQ 10 ipsec-isakmp
set peer 10.2.1.2
set transform-set TS-HQ
match address VPN-TRAFFIC
    </Crypto MAP CM_HQ>
</IPSEC>
<IF OUT+CM>
int gi 0/0
 crypto map CM_HQ
</IF OUT+CM>
</HQ>

<SPOKE-II>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
 encr 3des
 hash md5
 auth pre-share
 group 5
 lifetime 86400
</isakmp pol1>
<PSK>
cry isakmp key CISCO address 10.2.1.2
</PSK>
</ISAKMP>
<IPSEC>
    <ACL INSIDE>
IP access-list ext INSIDE
deny ip 192.168.3.0 0.0.0.255 192.169.3.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any (7 matches)
permit icmp 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit icmp 192.168.4.0 0.0.0.255 any
    </ACL INSIDE>
    <ACL VPN-TRAFFIC>
ip access-list extended VPN-TRAFFIC
permit ip 192.168.3.0 0.0.0.255 192.169.3.0 0.0.0.255
    </ACL VPN-TRAFFIC>
    <TS: TS-HQ>
crypto ipsec transform-set TS-HQ esp-3des esp-md5-hmac
    </TS: TS-HQ>
    <Crypto MAP CM_HQ>
crypto map CM_HQ 10 ipsec-isakmp
set peer 10.2.1.2
set transform-set TS-HQ
match address VPN-TRAFFIC
    </Crypto MAP CM_HQ>
</IPSEC>
<IF OUT+CM>
int gi 0/0
 crypto map CM_HQ
</IF OUT+CM>
</HQ>