GE MDS ORBIT ECR - DMVPN with Cisco IOS

To Next Page

To Previous Page

MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual 425

# Security zone configuration

set security zones security-zone TRUST address-book address LOCAL-NET-1 192.168.2.0/24

set security zones security-zone TRUST host-inbound-traffic system-services all

set security zones security-zone TRUST interfaces vlan.0

set security zones security-zone UNTRUST address-book address ORBIT138-NET-1 192.168.1.0/24

set security zones security-zone UNTRUST host-inbound-traffic system-services ike

set security zones security-zone UNTRUST host-inbound-traffic system-services ping

set security zones security-zone UNTRUST host-inbound-traffic system-services ntp

set security zones security-zone UNTRUST interfaces ge-0/0/0.0

# Security policies

set security policies from-zone TRUST to-zone UNTRUST policy ORBIT138-NET-1-SA match source-address

LOCAL-NET-1

set security policies from-zone TRUST to-zone UNTRUST policy ORBIT138-NET-1-SA match destination-

address ORBIT138-NET-1

set security policies from-zone TRUST to-zone UNTRUST policy ORBIT138-NET-1-SA match application any

set security policies from-zone TRUST to-zone UNTRUST policy ORBIT138-NET-1-SA then permit tunnel

ipsec-vpn ORBIT138

set security policies from-zone UNTRUST to-zone TRUST policy ORBIT138-NET-1-SA match source-address

ORBIT138-NET-1

set security policies from-zone UNTRUST to-zone TRUST policy ORBIT138-NET-1-SA match destination-

address LOCAL-NET-1

set security policies from-zone UNTRUST to-zone TRUST policy ORBIT138-NET-1-SA match application any

set security policies from-zone UNTRUST to-zone TRUST policy ORBIT138-NET-1-SA then permit tunnel

ipsec-vpn ORBIT138

12.1.2.2 Status

> show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address

1948863 UP 95c139a87c9cae6f 71d0c3a14c8d5663 IKEv2 172.18.175.138

> show security ipsec security-associations

Total active tunnels: 1

ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway

<131074 ESP:aes-128/sha256 ef7c6bd3 3522/ unlim - root 500 172.18.175.138

>131074 ESP:aes-128/sha256 c4bfce67 3522/ unlim - root 500 172.18.175.138

12.2 DMVPN with Cisco IOS

In this example we describe a sample configuration for a DMVPN between Orbit MCR (2E1S) and Cisco

ISR 1941 router with IKEv2 public-key based authentication using RSA certificates generated from 3-tier

Related product manuals