Layer 3 IPSec Tunnel

This section describes how to establish a layer 3IPSec tunnel across a wide area network. The detailed configuration of one router will be provided.

The following steps will describe how to form one half of a site to site layer 2 IPSec tunnel. The configuration of the router that forms the other side of the tunnel will also be provided as a reference. The configuration is summarized in



  1. Configure the network protocols and security applications.
    1. Enable security. 

      iS5comm# configure terminal
      iS5comm(config)# set security enable
      iS5comm(config)# exit
    2. Enable the WAN port 

      iS5comm# configure terminal
      iS5comm(config)# interface gigabitethernet 0/3
      iS5comm(config-if)# shutdown
      iS5comm(config-if)# no switchport
      iS5comm(config-if)# set wan enable
      iS5comm(config-if)# ip address 20.168.10.2 255.255.255.0 cybsec
      iS5comm(config-if)# no shutdown
      iS5comm(config)# exit
    3. Join the switch and security application networks. 

      iS5comm# configure terminal
      iS5comm(config)# vlan 50
      iS5comm(config-vlan)# port add extreme-ethernet 0/2
      iS5comm(config-vlan)# exit
      iS5comm(config)# interface vlan 50
      iS5comm(config-if)# ip address 192.168.51.1 255.255.255.0
      iS5comm(config-if)# ip address 192.168.51.2 255.255.255.0 cybsec
      iS5comm(config-if)# ip proxy-arp cybsec
      iS5comm(config-if)# no shutdown
      iS5comm(config-if)# exit
      iS5comm(config)# exit
  2. Reconfigure the Local Ports for layer 2 VLAN traffic.
    1. Create VLANs 3 and 5 and associate them with gigabit Ethernet interface 0/2 

      iS5comm# configure terminal
      iS5comm(config)# vlan 5
      iS5comm(config-vlan)# vlan active
      iS5comm(config-vlan)# exit
      iS5comm(config)# vlan 3
      iS5comm(config-vlan)# vlan active
      iS5comm(config-vlan)# exit
      iS5comm(config)# interface gigabitethernet 0/2
      iS5comm(config-if)# shutdown
      iS5comm(config-if)# switchport
      is5comm(config-if)# switchport mode trunk
      iS5comm(config-if)# no shutdown
      iS5comm(config-if)# exit
      iS5comm(config)# interface vlan 5
      iS5comm(config-if)# ip address 172.16.50.1 255.255.255.0
      iS5comm(config-if)# no shutdown
      iS5comm(config-if)# exit
      iS5comm(config)# interface vlan 3
      iS5comm(config-if)# ip address 172.16.30.1 255.255.255.0
      iS5comm(config-if)# no shutdown
      iS5comm(config-if)# exit
  3. Configure the Routing Table.
    1. Enter the following commands 

      iS5comm# configure terminal
      iS5comm(config)# ip route 0.0.0.0 0.0.0.0 192.168.51.2
      iS5comm(config)# ip route 172.16.50.0 255.255.255.0 192.168.51.1 cybsec
      iS5comm(config)# ip route 172.16.30.0 255.255.255.0 192.168.51.1 cybsec
      iS5comm(config)# ip route 0.0.0.0 0.0.0.0 20.168.10.2 cybsec
    2. Enable the VPN Module 

      iS5comm(config)# set vpn enable
    3. Create the IPSec Tunnel 

      iS5comm(config)# crypto map VPN-TEST-1
      iS5comm(config-crypto-map)# set local 20.168.10.2
      iS5comm(config-crypto-map)# isakmp local identity ipv4 20.168.10.2
      iS5comm(config-crypto-map)# set peer <Peer connecting to 20.168.10.2>
      iS5comm(config-crypto-map)# isakmp peer identity ipv4 <Peer connecting to 20.168.10.2>
      iS5comm(config-crypto-map)# access-list source 172.16.50.0/24,172.16.30.0/24 destination <Peer’s Network>
      iS5comm(config-crypto-map)# cryptokey mode preshared-key psk is5com
      iS5comm(config-crypto-map)# isakmp policy encryption aes hash md5 dh group1 exch main lifetime secs 3600
      iS5comm(config-crypto-map)# crypto ipsec mode tunnel
      iS5comm(config-crypto-map)# crypto map ipsec encryption esp aes authentication esp md5 pfs group2 lifetime secs 3600
      iS5comm(config-crypto-map)# set tunnel enable 
      iS5comm(config-crypto-map)# exit
      iS5comm(config)# exit

The iMX950 is ready to connect a layer 3 tunnel to its peer.