-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcsr.ios
84 lines (81 loc) · 2.94 KB
/
csr.ios
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
!license boot level network-advantage addon dna-advantage
!do wr mem
!do reload
interface GigabitEthernet1
ip address dhcp
interface GigabitEthernet2
ip address dhcp
!default route pointing to GigE2 which has public IP
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2 172.16.20.33
!remove default route pointing to GigE1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 172.16.20.1
! static route to VWAN Hub subnet pointing to CSR subnet default gateway, to prevent recursive routing failure for VWAN Hub endpoint addresses learned via BGP from Hub
ip route 192.168.0.0 255.255.255.0 172.16.20.1
!
crypto ikev2 proposal azure-proposal-connectionS1HubCSR
encryption aes-cbc-256 aes-cbc-128
integrity sha1 sha256
group 2
!
crypto ikev2 policy azure-policy-connectionS1HubCSR
proposal azure-proposal-connectionS1HubCSR
!Replace vnet-gw-onprem3-pubip1 and vnet-gw-onprem3-pubip2 with primary and seconday public IPs of vnet-gw-onprem3
crypto ikev2 keyring azure-keyring
peer Onprem3VPNGWPubIpV41
address vnet-gw-onprem3-pubip1
pre-shared-key Microhack2023
peer Onprem3VPNGWPubIpV42
address vnet-gw-onprem3-pubip2
pre-shared-key Microhack2023
!
crypto ikev2 profile azure-profile-connectionOnprem3HubCSR
match address local interface GigabitEthernet2
match identity remote address vnet-gw-onprem3-pubip1 255.255.255.255
match identity remote address vnet-gw-onprem3-pubip2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local azure-keyring
lifetime 28800
dpd 10 5 on-demand
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile azure-ipsec-onprem3
set security-association lifetime kilobytes 102400000
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile-connectionOnprem3HubCSR
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel101
ip address 10.0.100.4 255.255.255.254
ip tcp adjust-mss 1350
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination vnet-gw-onprem3-pubip1
tunnel protection ipsec profile azure-ipsec-onprem3
!
interface Tunnel102
ip address 10.0.100.6 255.255.255.254
ip tcp adjust-mss 1350
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination vnet-gw-onprem3-pubip2
tunnel protection ipsec profile azure-ipsec-onprem3
! static routes for Onprem3 GatewaySubnet pointing to Tunnel101 and Tunnel102, so that Branch1GW BGP peer address is reachable
ip route 10.100.10.164 255.255.255.255 Tunnel101
ip route 10.100.10.165 255.255.255.255 Tunnel102
!
router bgp 64000
neighbor 192.168.0.68 remote-as 65515
neighbor 192.168.0.68 ebgp-multihop 255
neighbor 192.168.0.69 remote-as 65515
neighbor 192.168.0.69 ebgp-multihop 255
neighbor 10.100.10.164 remote-as 64300
neighbor 10.100.10.164 ebgp-multihop 255
neighbor 10.100.10.164 update-source Loopback0
neighbor 10.100.10.165 remote-as 64300
neighbor 10.100.10.165 ebgp-multihop 255
neighbor 10.100.10.165 update-source Loopback0