! Aviatrix Site2Cloud configuration template
!
! This configuration serves as a general guideline and may have to be modified to
! be functional on your device.
!
! If the provided encryption or authentication type is configured as 'n/a', then
! there was not a known mapping from the selected type to the encryption or
! authentication type expected by the Cisco device.  Please reference the Cisco
! documentation for your device and replace 'n/a' with the expected configuration.                                                                                                 
! 
! This connection has two IPsec tunnels between the customer gateway and 
! Aviatrix gateways in the cloud. Tunnel #1 is the primary tunnel. The 
! customer gateway should be configured in such a way that it should
! switch over to tunnel #2 when tunnel #1 fails.
! 
! You need to populate these values throughout the config based on your setup:
! <crypto_policy_number>: the IKE crypto policy number
! <tunnel_number1>: the primary IPSec tunnel interface number
! <tunnel_number2>: the backup IPSec tunnel interface number
! <ios_wan_interface1>: the primary source interface of tunnel packets
! <ios_wan_interface2>: the backup source interface of tunnel packets
! <customer_tunnel_ip1>: any un-used IPv4 address for the primary tunnel interface
!                        when static routing is used (e.g. 1.1.1.1)
! <customer_tunnel_ip2>: any un-used IPv4 address for the backup tunnel interface
!                        when static routing is used (e.g. 1.1.1.3)
! <netmask>: netmask for customer_tunnel_ip. Please use 255.255.255.255
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1 (Primary)
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
! A policy is established for the supported ISAKMP encryption, 
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
crypto ikev2 proposal avx-s2c-10.0.16.196
  encryption aes-cbc-256
  integrity sha256
  group 14
  exit
!
crypto ikev2 policy <crypto_policy_number>
  proposal avx-s2c-10.0.16.196
  exit
!
crypto ikev2 keyring 192.168.77.1-10.0.16.196
  peer 192.168.77.1-10.0.16.196
    address 10.0.16.196
    identity address 10.0.16.196
    pre-shared-key Qu5782Yg3qTzN2N4P42FfKXMYdKkKa7zdnKYmKYX
    exit
  exit
!
crypto ikev2 profile 192.168.77.1-10.0.16.196
  match identity remote address 10.0.16.196 255.255.255.255
  identity local address 192.168.77.1
  authentication remote pre-share
  authentication local pre-share
  keyring local 192.168.77.1-10.0.16.196
  lifetime 28800
  dpd 10 3 periodic
  exit
!
!---------------------------------------------------------------------------------
! #2: IPSec Configuration
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set 192.168.77.1-10.0.16.196 esp-256-aes esp-sha256-hmac
  mode tunnel
  exit
crypto ipsec df-bit clear
!
crypto ipsec profile 192.168.77.1-10.0.16.196
  set security-association lifetime seconds 3600
  set transform-set 192.168.77.1-10.0.16.196
  set pfs group14
  set ikev2-profile 192.168.77.1-10.0.16.196
  set security-association lifetime kilobytes disable
  set security-association lifetime seconds 3600
  exit
!
!---------------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
! The virtual tunnel interface is used to communicate with the remote IPSec endpoint 
! to establish the IPSec tunnel.
!
interface Tunnel <tunnel_number1>
  ip address 169.254.76.181 255.255.255.252
  ip mtu 1436
  ip tcp adjust-mss 1387
  tunnel source <ios_wan_interface1>
  tunnel mode ipsec ipv4
  tunnel destination 10.0.16.196
  tunnel protection ipsec profile 192.168.77.1-10.0.16.196
  ip virtual-reassembly
  exit
!
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #2 (Backup)
! --------------------------------------------------------------------------------
! #4: Internet Key Exchange (IKE) Configuration
!
crypto ikev2 keyring 192.168.77.1-10.0.17.68
  peer 192.168.77.1-10.0.17.68
    address 10.0.17.68
    identity address 10.0.17.68
    pre-shared-key ls2NSI5VswRvxVPA5E53hY90g58UIOvyvvMK4Ha9
    exit
  exit
!
crypto ikev2 profile 192.168.77.1-10.0.17.68
  match identity remote address 10.0.17.68 255.255.255.255
  identity local address 192.168.77.1
  authentication remote pre-share
  authentication local pre-share
  keyring local 192.168.77.1-10.0.17.68
  lifetime 28800
  dpd 10 3 periodic
  exit
!
!---------------------------------------------------------------------------------
! #5: IPSec Configuration
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set 192.168.77.1-10.0.17.68 esp-256-aes esp-sha256-hmac
  mode tunnel
  exit
!
crypto ipsec profile 192.168.77.1-10.0.17.68
  set security-association lifetime seconds 3600
  set transform-set 192.168.77.1-10.0.17.68
  set pfs group14
  set ikev2-profile 192.168.77.1-10.0.17.68
  set security-association lifetime kilobytes disable
  set security-association lifetime seconds 3600
  exit
!
!---------------------------------------------------------------------------------------
! #6: Tunnel Interface Configuration
! The virtual tunnel interface is used to communicate with the remote IPSec endpoint
! to establish the IPSec tunnel.
!
interface Tunnel <tunnel_number2>
  ip address 169.254.215.57 255.255.255.252
  ip mtu 1436
  ip tcp adjust-mss 1387
  tunnel source <ios_wan_interface2>
  tunnel mode ipsec ipv4
  tunnel destination 10.0.17.68
  tunnel protection ipsec profile 192.168.77.1-10.0.17.68
  ip virtual-reassembly
  exit
!
!---------------------------------------------------------------------------------------
! #7: BGP Routing Configuration
! The Border Gateway Protocol (BGPv4) is used to exchange routes from the VPC to on-prem
! network. Each BGP router has an Autonomous System Number (ASN).
!
router bgp 65000
  bgp log-neighbor-changes
  neighbor 169.254.76.182 remote-as 65001
  neighbor 169.254.76.182 timers 60 180
  ! bgp md5 authentication password need to be added if configured
  ! neighbor 169.254.76.182 password 
  neighbor 169.254.215.58 remote-as 65001
  neighbor 169.254.215.58 timers 60 180
  ! bgp md5 authentication password need to be added if configured
  ! neighbor 169.254.215.58 password 
 !
 address-family ipv4
  redistribute connected
  neighbor 169.254.76.182 activate
  neighbor 169.254.76.182 soft-reconfiguration inbound
  neighbor 169.254.215.58 activate
  neighbor 169.254.215.58 soft-reconfiguration inbound
  maximum-paths 4
 exit-address-family
!
!---------------------------------------------------------------------------------------
!
!
For vendor specific instructions, please go to the following URL:
http://docs.aviatrix.com/#site2cloud