Hi Guys, I am currently trying to configure a VPN link between 2 sites, I have replaced some crypto maps with ipsec tunnel interfaces instead. However I am unsure what configuration lines are still required below is snippets of the configuration, both sites have similar configurations however the documentation I found doesn't show the use of crypto isakmp policy line but when I remove it the link fails to establish.
That makes sense, does the number for the policy matter as its not linked anywhere?
I am using a IPSec SVTI, the main goal is to ensure the best security (well near best) possible between the 2 sites.
The final goal is to link branch offices (4) across the country to a central router, they all have Cisco 877 routers and I am looking at the possibility of replacing the central router with a higher end to handle the extra load.
The number in the crypto isakmp policy is just a local identifier (it does not matter which number it is).
The only role of that number is that when a VPN connection against the router is attempted, the peer will look at the crypto isakmp policies in sequential order until finding a match. (so the number is only relevant in case you have multiple crypto isakmp policies and you need to have them in certain order).
The advantage of using VTI is that it simplifies configuration and allows multicast traffic to pass through the tunnel (as opposed to regular IPsec traffic which only allows IP unicast packets).
You should not have a problem with the implementation. Let us know if you have any questions.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...