Branches with Static VTI
Hub : Dynamic VTI
– ISAKMP Profile
– Key ring with PSKs
– Virtual Template
R1(Hub)
—
(config)# crypto isakmp policy 1
(config-isakmp)# encr aes 192
(config-isakmp)# authentication pre-share
(config-isakmp)# group 5
(config)# crypto keyring HRT-PSKS
(config-keyrings)# pre-shared-key address 0.0.0.0(remote IP or all) key cisco123
(config)# crypto ipsec transform-set HRT-SET esp-aes 128 esp-md5-hmac
(config)# crypto ipsec profile HRT-IPSEC-PROFILE
(ipsec-profile)# set transform-set HRT-SET
(config)# interface virtual-template 1 type tunnel
(config-if)#tunnel mode ipsec ipv4
(config-if)#tunnel protection ipsec profile HRT-IPSEC-PROFILE
//if the address is 25.0.0.2 then use this template 1
(config)# crypto isakmp profile OUR-IKE-PROFILE
(config-isa-pro)# match identity address 25.0.0.2 255.255.255.255 (0.0.0.0 anything can connect)
(config-isa-pro)#virtual-template 1
(config-isa-pro)#keyring HRT-PSKS
R2 (branch-spoke)
——-
SVTI
(config)# crypto isakmp policy 1
(config-isakmp)# encr aes 192
(config-isakmp)# authentication pre-share
(config-isakmp)# group 5
(config)#crypto isakmp key cisco123 address 0.0.0.0
(config)#crypto ipsec tranform-set HRT esp-aes 128 esp-md5-hmac
(config)#crypto ipsec profile HRT-IPSEC-PROFILE
(ipsec-profile)# set transform-set HRT-SET
(config)#int tunnel 1
(config-if)# tunnel source serial 1/0
(config-if)# tunnel destination 15.0.0.1
(config-if)# tunnel mode ipsec ipv4
(config-if)# tunnel protection ipsec profile HRT-IPSEC-PROFILE