Cisco ISR G2 Series User manual
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 1 of 16
Verizon Wireless Dynamic Mo ile
Network Routing LTE - Cisco
Integrated Services Router (ISR G2)
and Connected Grid Router
Mo ile Router Configuration Guide - Group Encrypted
Transport VPN – Primary Access 3G/4G
Revision 3.5
Guide
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 2 of 16
Introduction
Group Encrypted Transport VPN (GETVPN) is a tunnel-less technology that provides end-to-end security for voice,
video, and data in a native mode for a full meshed network. Group Encrypted Transport VPN expands the standard
IP Security (IPsec) with the concept of trusted group mem ers to provide secure any-to-any communication over a
variety of network infrastructures. The main enefits over existing VPN solutions include:
●
Large-scale any-to-any encrypted communications
●
Native routing without tunnel overlay
●
Transport agnostic:
◦
Private WAN and LAN
◦
Frame Relay
◦
Multiprotocol La el Switching (MPLS)
◦
Third and Fourth-generation (3G and 4G) with Verizon Wireless Dynamic Mo ile Network Routing
(DMNR)
●
Centralized management of policies and keys in the key server
The immediate and long-term enefits of implementing Group Encrypted Transport VPN include:
●
Minimal configuration of crypto endpoints
◦
All devices, with the exception of key servers, share the same configuration; thus there is less chance of
making mistakes. There is no peer configuration or crypto access control lists (ACLs).
●
Native routing
◦
No modifications are required to the existing routing protocol configuration.
●
No tunnel overlay
◦
No additional complexity of generic-routing-encapsulation (GRE) tunnels and Next Hop Resolution
Protocol (NHRP) as in the case of Dynamic Multipoint VPN (DMVPN). There are no secondary routing
protocols over the tunnels.
●
Group encryption
◦
Group Encrypted Transport VPN minimizes latency ecause encryption is not performed on a per-link
asis, ut is encrypted only at the source (ATM or ranch office) and decrypted at the destination
(headquarters or data center).
●
RF usage conservation
◦
With only VPN there are no frequent periodic keep-alives. For example, Dead Peer Detection (DPD) and
Internet Key Exchange (IKE).
◦
Group mem er (GM) re-registrations are at 3600 seconds and ISAKMP (Internet Security Association
and Key Management Protocol) SA lifetime is 24 hours, resulting in a very low RF usage ecause
encryption is used.
●
High availa ility
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 3 of 16
Notes
1. The lifetime of the ISAKMP sessions on the key server should e no less than 24 hours.
2. Advanced Encryption Standard (AES) mode is recommended for the Traffic Encryption Key and Key
Encryption Key.
3. Use multiple key servers with the co-operative protocol. There should e persistent multiple paths etween co-
op key servers.
4. If there are multiple key servers, RSA keys should e generated on one of the co-op key servers as exporta le
and should e imported on all other key servers.
5. The encryption policy should have explicit denies for traffic not requiring encryption followed y glo al permit
statements that are symmetric.
6. On the group mem er, specify the loop ack address that is routed y NEMO as the source of rekey messages
with the command crypto map crypto-name local-address Loopback XYZ.
7. For a key system, it is recommended to always use a loop ack interface as the key system IP address for the
Group Domain of Interpretation (GDOI) protocol.
8. Fail/open and fail/closed modes are oth supported with DMNR.
9. Unicast rekey process is the only rekey method supported.
10. The GDOI crypto map must e applied to the NEMO Tunnel interface using the template method as shown in
Figure 1.
Assumptions and Guidelines
This document assumes the reader has followed the “Verizon Wireless Dynamic Mo ile Network Routing - Mo ile
Router Configuration Guide for Primary Wireless Access” document and DMNR is operating and verified efore
attempting the tasks outlined herein.
For implementation please consult Cisco for proper customer-premises-equipment (CPE) hardware selection and
scala ility.
Hardware Platforms and Software Images
This document is written ased on the following software versions and hardware. The following list is not the
complete list of platforms supported. Consult Cisco for the required software image.
●
Key sever: 7206VXR: 12.4 (22)T ADVIPSERVICESK9-M, 3945: 15.1(3)T1 Universal K9, 3845: 15.1(3)T1
ADVIPSERVICESK9-MZ
●
MPLS/CE GM:
900/2900/3900 with LTE eHWIC: IOS 15.3(3)M2 with security license
C8 9G-4G-V IOS 15.3(3)M2 (security license included)
CGR20 0 with LTE GRWIC: 15.3(1)T1 with security license
88 G with EVDO: 15.1(1)T universalk9-MZ
ASR 002: 15.1(1)S2 ADVENTERPRISEk9, 29 :15.1(2)T3 Universal K9
The Cisco 1941 Integrated Services Router is shown as the LTE/group mem er example. Many Cisco Integrated
Services Routers (ISRs) that can run NEMO and Group Encrypted Transport VPN can e used, ut a Cisco IOS
®
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 4 of 16
Software Release 12.4(15)T and later Advanced IP or Cisco IOS Software Release 15.1(3)T (exact) Data and
Security license are the minimum required with 3G.
For ISR 1900, 2900. 3900 with LTE eHWIC or C819G-4G-V, the minimum IOS Software release is 15.3(3)M2.
For CGR-2010, the minimum IOS release is 15.3(1)T1.
Figure . Architecture
1. Mo ile IP is ena led on the group mem er.
2. The high-speed WAN interface card (HWIC) or modem registers to The Verizon Enterprise Home Agent (EHA)
and o tains a /32 address.
3. Mo ile IP registration to EHA is followed y dynamic NEMO GRE Tunnel creation.
4. After registration and authentication to EHA, a dynamic mo ile default route (M) is installed with AD 3.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 5 of 16
Implementation:
Group Member
C1941-NEMO-LTE#wr t
Building configuration...
!
! Last configuration chang at 15:18:27 UTC Thu Aug 2 2012
v rsion 15.2
s rvic int rnal
s rvic tim stamps d bug dat tim ms c
s rvic tim stamps log dat tim ms c
no s rvic password- ncryption
!
hostnam C1941-NEMO-LTE
!
boot-start-mark r
boot syst m flash:c1900-univ rsalk9-mz.SPA.153-3.M2.bin
boot- nd-mark r
!
nabl password cisco
!
ip dhcp xclud d-addr ss 10.21.65.129 10.21.65.136
!
ip dhcp pool mobil
n twork 10.21.65.128 255.255.255.128
d fault-rout r 10.21.65.129
option 150 ip 11.11.11.11
dns-s rv r 4.2.2.2
!
ip c f
no ip domain lookup
no ipv6 c f
!
multilink bundl -nam auth nticat d
chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"
!
lic ns udi pid CISCO1941W-A/K9 sn FTX153901PZ
lic ns boot modul c1900 t chnology-packag s curityk9
lic ns boot modul c1900 t chnology-packag datak9
hw-modul ism 0
!
controll r C llular 0/0
!
no ip ftp passiv
ip ftp sourc -int rfac Vlan2
!
!### Define ISAKMP Policy and PSK ###
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key nemo address 0 0 0 0 0 0 0 0 no-xauth
!
!
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 6 of 16
!### Define GDOI Group and KS Address ###
crypto gdoi group nemo
identity number 434
server address ipv4 10 0 67 1
!
!
!### Define source IP for GETVPN crypto-map The source MUST be routed by
NEMO ###
crypto map NEMO-GETVPN local-address Loopback100
crypto map NEMO-GETVPN 10 gdoi
set group nemo
!
!
int rfac Loopback0
description ### NEMO Router Home Address Dummy non-Routable IP ###
ip addr ss 1.2.3.4 255.255.255.255
!
int rfac Loopback100
description ### Loopback Routed by NEMO ###
ip addr ss 10.0.66.1 255.255.255.255
!
int rfac Loopback101
ip addr ss 10.0.66.2 255.255.255.255
!
int rfac Loopback102
ip addr ss 10.0.66.3 255.255.255.255
!
!### Define the tunnel template to be able to apply the GETVPN crypto-map to
the dynamic NEMO tunnel ###
interface Tunnel434
no ip address
crypto map NEMO-GETVPN
!
int rfac GigabitEth rn t0/0
no ip addr ss
!
int rfac GigabitEth rn t0/1
no ip addr ss
!
int rfac GigabitEth rn t0/1/0
d scription ### LAN S gm nt and Subn t Rout d by NEMO ###
switchport acc ss vlan 2
no k paliv
!
int rfac GigabitEth rn t0/1/1
switchport acc ss vlan 2
!
int rfac GigabitEth rn t0/1/2
switchport acc ss vlan 2
!
int rfac GigabitEth rn t0/1/3
switchport acc ss vlan 2
!
!### Setup cellular interface for NEMO, disable idle timer, assign dialer-
watch group for compulsive dial” ###
interface Cellular0/0/0
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 7 of 16
ip address negotiated
no ip unreachables
ip mobile router-service roam
ip mobile router-service collocated ccoa-only
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer string LTE
dialer watch-group 1
!
int rfac Vlan1
no ip addr ss
!
!### Configure LAN interface: TCP MSS to avoid fragmentation, clear-df for
non-TCP traffic ###
interface Vlan2
ip address 10 21 65 129 255 255 255 128
ip tcp adjust-mss 1300
ip policy route-map clear-df
!
!### Turn on Mobile Routing ###
router mobile
!
ip forward-protocol nd
no ip http s rv r
no ip http s cur -s rv r
!
!### Define NEMO-HA Security Parameters Use the appropriate EXGW IP address
based on the geographic location ###
!
ip mobile secure home-agent 66 174 X Y spi decimal 256 key ascii VzWNeMo
algorithm hmac-md5
!
!### Configure Mobile Router ###
ip mobile router address 1 2 3 4 255 255 255 0
collocated single-tunnel
home-agent 66 174 X Y
mobile-network Loopback100
mobile-network Loopback101
mobile-network Loopback102
mobile-network Vlan2
template Tunnel434
register extend expire 10 retry 3 interval 5
reverse-tunnel
tunnel mode gre
!
!### Define dialer watch parameters ###
dialer watch-list 1 ip 5 6 7 8 0 0 0 0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
!
rout -map cl ar-df p rmit 10
s t ip df 0
!
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 8 of 16
control-plan
!
!
lin con 0
no mod m nabl
lin aux 0
lin 2
no activation-charact r
no x c
transport pr f rr d non
transport input all
transport output pad t ln t rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer LTE
modem InOut
no exec
rxspeed 100000000
txspeed 50000000
lin vty 0 4
password cisco
login
transport input all
!
xc ption data-corruption buff r truncat
sch dul r max-task-tim 5000
!
End
______________________________________________________________________
CGR-2010 with LTE GRWIC is configured similarl to the ISR with LTE eHWIC.
C819G-4G-V is configured similarl to the ISR with LTE eHWIC with these caveats:
- The cell interface is “cellular 0”
- The line interface representing LTE is “line 3”
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 9 of 16
K
EY
S
ERVER
_________________________________________________________
Identify the location of the key servers. Provide the key server name and whether the server has a primary or
secondary role.
IPSec has two sets of policies to e configured, the ISAKMP policy and the IPSec Policy, also referred to as the
transform set.
Configuration for Primary key server is shown elow.
Key Server Configuration – ISAKMP Policy
Hostnam k ys rv r-nam
!### D fin th ISAKMP Policy ###
crypto isakmp policy 10
auth ntication pr -shar
ncryption a s
hash sha
group 5
lif tim 86400
!### D fin pr -shar d k ys for ach GM and oth r KS if any ###
crypto isakmp k y NEMO addr ss 0.0.0.0 0.0.0.0 no-xauth
Key Server Configuration – IPsec Policy
!### D fin th IPS c Policy ###
crypto ips c transform-s t NEMO sp-a s sp-sha-hmac
!
crypto ips c profil NEMO
s t s curity-association lif tim s conds 28800
s t transform-s t NEMO
Key Server Configuration – GDOI
!### GDOI Configuration ###
crypto gdoi group NEMO
id ntity numb r 1
s rv r local
r k y r transmit 10 numb r 2
r k y auth ntication mypubk y rsa NEMO
r k y transport unicast
sa ips c 1
profil NEMO
match addr ss ipv4 NEMO-GETVPN
r play count r window-siz 64
addr ss ipv4 <KS1 addr ss> or <KS2 addr ss>
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 10 of 16
Server Crypto ACL (T is configuration is a sample & needs to be customized for deployment)
!### Crypto ACL ###
ip acc ss-list xt nd d NEMO-GETVPN
d ny tcp any any q ssh
d ny tcp any q ssh any
d ny udp any any q 848
d ny udp q 848 any
d ny tcp any any q bgp !wh n GM us s BGP for PE-CE
d ny tcp any q bgp any !wh n GM us s BGP for PE-CE
!d ny udp any any q ntp !optional
!d ny udp any any q dns !optional
!d ny udp any any q snmp !optional
!d ny udp any any q syslog !optional
!d ny udp any any q 1645 !optional
!d ny udp any any q 1646 !optional
!d ny udp any any q 1812 !optional
!d ny udp any any q 1813 !optional
!d ny tcp any q 443 any !optional
!d ny tcp any any q 443 !optional
permit ip any any
____________________________________________________________________________
Note: Crypto access control list (ACL) must be designed per customer traffic requirements.
The ACL provided is an example only.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 11 of 16
Important Group Member Show and PING Commands
SHO
CRYPTO
GDOI_________________________________________________
C1941-NEMO-LTE#sh crypto gdoi
GROUP INFORMATION
Group Nam : n mo
Group Id ntity : 434
R k ys r c iv d : 348
IPS c SA Dir ction : Both
Group S rv r list : 10.0.67.1
Group m mb r : 10.0.66.1 vrf: Non
R gistration status : R gist r d
R gist r d with : 10.0.67.1
R -r gist rs in : 413 s c
Succ d d r gistration: 26
Att mpt d r gistration: 29
Last r k y from : 10.0.67.1
Last r k y s q num : 33
Unicast r k y r c iv d: 348
R k y ACKs s nt : 348
R k y Rcvd(hh:mm:ss) : 00:50:06
allowabl r k y ciph r: any
allowabl r k y hash : any
allowabl transformtag: any ESP
R k ys cumulativ
Total r c iv d : 348
Aft r lat st r gist r : 3
R k y Acks s nts : 348
ACL Download d From KS 10.0.67.1:
acc ss-list p rmit ip any 10.245.1.0 0.0.0.255
acc ss-list p rmit ip 10.245.1.0 0.0.0.255 any
KEK POLICY:
R k y Transport Typ : Unicast
Lif tim (s cs) : 6810
Encrypt Algorithm : 3DES
K y Siz : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig K y L ngth (bits) : 1024
TEK POLICY for th curr nt KS-Policy ACEs Download d:
Tunn l0:
IPs c SA:
spi: 0xA5A7BF26(2779234086)
transform: sp-a s sp-sha-hmac
sa timing:r maining k y lif tim (s c): (593)
Anti-R play : Disabl d
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 12 of 16
SHO
CRYPTO
ISAKMP
SA__________________________________________
C1941-NEMO-LTE#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src stat conn-id status
10.0.67.1 10.0.66.1 GDOI_IDLE 2047 ACTIVE
10.0.66.1 10.0.67.1 GDOI_REKEY 2049 ACTIVE
SHO
CRYPTO
IPSEC
SA
_____________________________________________
C1941-NEMO-LTE#sh crypto ips c sa
int rfac : Tunn l434
Crypto map tag: NEMO-GETVPN, local addr 10.0.66.1
prot ct d vrf: (non )
local id nt (addr/mask/prot/port): (10.245.1.0/255.255.255.0/0/0)
r mot id nt (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
curr nt_p r 0.0.0.0 port 848
PERMIT, flags={origin_is_acl,}
#pkts ncaps: 0, #pkts ncrypt: 0, #pkts dig st: 0
#pkts d caps: 0, #pkts d crypt: 0, #pkts v rify: 0
#pkts compr ss d: 0, #pkts d compr ss d: 0
#pkts not compr ss d: 0, #pkts compr. fail d: 0
#pkts not d compr ss d: 0, #pkts d compr ss fail d: 0
#s nd rrors 0, #r cv rrors 0
local crypto ndpt.: 10.0.66.1, r mot crypto ndpt.: 0.0.0.0
path mtu 1476, ip mtu 1476, ip mtu idb Tunn l434
curr nt outbound spi: 0xA5A7BF26(2779234086)
PFS (Y/N): N, DH group: non
inbound sp sas:
spi: 0xA5A7BF26(2779234086)
transform: sp-a s sp-sha-hmac ,
in us s ttings ={Tunn l, }
conn id: 89, flow_id: Onboard VPN:89, sibling_flags 80000040, crypto
map: NEMO-GETVPN
sa timing: r maining k y lif tim (s c): (520)
Kilobyt Volum R k y has b n disabl d
IV siz : 16 byt s
r play d t ction support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound sp sas:
spi: 0xA5A7BF26(2779234086)
transform: sp-a s sp-sha-hmac ,
in us s ttings ={Tunn l, }
conn id: 90, flow_id: Onboard VPN:90, sibling_flags 80000040, crypto
map: NEMO-GETVPN
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 13 of 16
sa timing: r maining k y lif tim (s c): (520)
Kilobyt Volum R k y has b n disabl d
IV siz : 16 byt s
r play d t ction support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
prot ct d vrf: (non )
local id nt (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
r mot id nt (addr/mask/prot/port): (10.245.1.0/255.255.255.0/0/0)
curr nt_p r 0.0.0.0 port 848
PERMIT, flags={origin_is_acl,}
#pkts ncaps: 12131, #pkts ncrypt: 12131, #pkts dig st: 12131
#pkts d caps: 11870, #pkts d crypt: 11870, #pkts v rify: 11870
#pkts compr ss d: 0, #pkts d compr ss d: 0
#pkts not compr ss d: 0, #pkts compr. fail d: 0
#pkts not d compr ss d: 0, #pkts d compr ss fail d: 0
#s nd rrors 0, #r cv rrors 0
local crypto ndpt.: 10.0.66.1, r mot crypto ndpt.: 0.0.0.0
path mtu 1476, ip mtu 1476, ip mtu idb Tunn l434
curr nt outbound spi: 0xA5A7BF26(2779234086)
PFS (Y/N): N, DH group: non
inbound sp sas:
spi: 0xA5A7BF26(2779234086)
transform: sp-a s sp-sha-hmac ,
in us s ttings ={Tunn l, }
conn id: 87, flow_id: Onboard VPN:87, sibling_flags 80000040, crypto
map: NEMO-GETVPN
sa timing: r maining k y lif tim (s c): (520)
Kilobyt Volum R k y has b n disabl d
IV siz : 16 byt s
r play d t ction support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound sp sas:
spi: 0xA5A7BF26(2779234086)
transform: sp-a s sp-sha-hmac ,
in us s ttings ={Tunn l, }
conn id: 88, flow_id: Onboard VPN:88, sibling_flags 80000040, crypto
map: NEMO-GETVPN
sa timing: r maining k y lif tim (s c): (520)
Kilobyt Volum R k y has b n disabl d
IV siz : 16 byt s
r play d t ction support: N
Status: ACTIVE
outbound ah sas:
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 14 of 16
outbound pcp sas:
int rfac : Tunn l0
Crypto map tag: NEMO-GETVPN, local addr 10.0.66.1
prot ct d vrf: (non )
local id nt (addr/mask/prot/port): (10.245.1.0/255.255.255.0/0/0)
r mot id nt (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
curr nt_p r 0.0.0.0 port 848
PERMIT, flags={origin_is_acl,}
#pkts ncaps: 0, #pkts ncrypt: 0, #pkts dig st: 0
#pkts d caps: 0, #pkts d crypt: 0, #pkts v rify: 0
#pkts compr ss d: 0, #pkts d compr ss d: 0
#pkts not compr ss d: 0, #pkts compr. fail d: 0
#pkts not d compr ss d: 0, #pkts d compr ss fail d: 0
#s nd rrors 0, #r cv rrors 0
local crypto ndpt.: 10.0.66.1, r mot crypto ndpt.: 0.0.0.0
path mtu 1476, ip mtu 1476, ip mtu idb Tunn l434
curr nt outbound spi: 0xA5A7BF26(2779234086)
PFS (Y/N): N, DH group: non
inbound sp sas:
spi: 0xA5A7BF26(2779234086)
transform: sp-a s sp-sha-hmac ,
in us s ttings ={Tunn l, }
conn id: 89, flow_id: Onboard VPN:89, sibling_flags 80000040, crypto
map: NEMO-GETVPN
sa timing: r maining k y lif tim (s c): (520)
Kilobyt Volum R k y has b n disabl d
IV siz : 16 byt s
r play d t ction support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound sp sas:
spi: 0xA5A7BF26(2779234086)
transform: sp-a s sp-sha-hmac ,
in us s ttings ={Tunn l, }
conn id: 90, flow_id: Onboard VPN:90, sibling_flags 80000040, crypto
map: NEMO-GETVPN
sa timing: r maining k y lif tim (s c): (520)
Kilobyt Volum R k y has b n disabl d
IV siz : 16 byt s
r play d t ction support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
prot ct d vrf: (non )
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 15 of 16
local id nt (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
r mot id nt (addr/mask/prot/port): (10.245.1.0/255.255.255.0/0/0)
curr nt_p r 0.0.0.0 port 848
PERMIT, flags={origin_is_acl,}
#pkts ncaps: 12131, #pkts ncrypt: 12131, #pkts dig st: 12131
#pkts d caps: 11870, #pkts d crypt: 11870, #pkts v rify: 11870
#pkts compr ss d: 0, #pkts d compr ss d: 0
#pkts not compr ss d: 0, #pkts compr. fail d: 0
#pkts not d compr ss d: 0, #pkts d compr ss fail d: 0
#s nd rrors 0, #r cv rrors 0
local crypto ndpt.: 10.0.66.1, r mot crypto ndpt.: 0.0.0.0
path mtu 1476, ip mtu 1476, ip mtu idb Tunn l434
curr nt outbound spi: 0xA5A7BF26(2779234086)
PFS (Y/N): N, DH group: non
inbound sp sas:
spi: 0xA5A7BF26(2779234086)
transform: sp-a s sp-sha-hmac ,
in us s ttings ={Tunn l, }
conn id: 87, flow_id: Onboard VPN:87, sibling_flags 80000040, crypto
map: NEMO-GETVPN
sa timing: r maining k y lif tim (s c): (520)
Kilobyt Volum R k y has b n disabl d
IV siz : 16 byt s
r play d t ction support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound sp sas:
spi: 0xA5A7BF26(2779234086)
transform: sp-a s sp-sha-hmac ,
in us s ttings ={Tunn l, }
conn id: 88, flow_id: Onboard VPN:88, sibling_flags 80000040, crypto
map: NEMO-GETVPN
sa timing: r maining k y lif tim (s c): (520)
Kilobyt Volum R k y has b n disabl d
IV siz : 16 byt s
r play d t ction support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
C1941-NEMO-LTE#
PING
FROM
INSIDE
SOURCE___________________________________________
C1941-NEMO-LTE#ping 10.245.1.1 sourc 10.21.65.129 r p at 100
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco/Verizon Pu lic Information. Page 16 of 16
Typ scap s qu nc to abort.
S nding 100, 100-byt ICMP Echos to 10.245.1.1, tim out is 2 s conds:
Pack t s nt with a sourc addr ss of 10.21.65.129
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Succ ss rat is 100 p rc nt (100/100), round-trip min/avg/max = 44/72/524 ms
Other manuals for ISR G2 Series
1
This manual suits for next models
5
Table of contents
Other Cisco Network Router manuals
Cisco
Cisco NCS 540 User manual
Cisco
Cisco ASR 900 Series User manual
Cisco
Cisco 6160 Manual
Cisco
Cisco 901 User manual
Cisco
Cisco Profile Series User manual
Cisco
Cisco 2431 - IAD Router Manual
Cisco
Cisco OSR-7609 Installation and operation manual
Cisco
Cisco Linksys EtherFast BEFVP41 User manual
Cisco
Cisco 2501 - Router - EN User manual
Cisco
Cisco 1760V User manual
Cisco
Cisco ASR1000-RP1 - ASR 1000 Series Route Processor 1... User manual
Cisco
Cisco 1805 User manual
Cisco
Cisco ASR 14000 Series User manual
Cisco
Cisco Linksys WET610N User manual
Cisco
Cisco Linksys WRT600N User manual
Cisco
Cisco 811 User manual
Cisco
Cisco 3200 Series Installation and operation manual
Cisco
Cisco uBR10012 Universal Broadband Router... User manual
Cisco
Cisco ASR 1001-HX Manual
Cisco
Cisco 1417 User manual
