Configuring Cisco 2811 router for Site-to-site VPN with MX Series Appliance using the Command Line Interface

This article will outline the process for configuring a Site-to-site VPN between a MX Security Appliance and a Cisco 2800 series router using the command line interface.

The diagram below shows the connection between the 2 sites participating in the site to site VPN

Configuration

• Configure the MX side as explained here
• Configure the Cisco 2811 router as shown below

Configure ISKAMP Policy

   crypto isakmp policy 10

   encr 3des

   authentication pre-share

   hash sha

   lifetime 28800

   group 2

Configure IPsec Transform Set

  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Specifies the interesting traffic to be encrypted

   ip access-list extended outgoing_to_MX

   permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

Specifies the pre-shared key "secretkey" which should be identical at both peers

  crypto isakmp key secretkey address 1.1.1.1

Configure the Ipsec-isakmp

  crypto map 2800-isakmp 1 ipsec-isakmp

  set peer 1.1.1.1

  set transform-set ESP-3DES-SHA

  match address outgoing_to_MX

Apply the Ipsec-isakmp to interface

  interface FastEthernet0/1

  ip address 2.2.2.2 255.255.255.248

  ip nat outside

  duplex auto

  speed auto

  crypto map 2800-isakmp

Once the MX and the ASA are successfully configured, the network configured for VPN access will be able to access each other's resources. To initialize the VPN tunnel, it is necessary to generate interesting traffic and send it to the VPN peer. This can be done by initiating a ping across the tunnel.

Troubleshooting 3^rd party VPN on MX can be found here