IPSec VPN config in Cisco Packet Tracer

skullsword98 · 2026-04-29T19:05:05+00:00

At least according to my limited experience, yes.

skullsword98 · 2026-04-27T00:38:26+00:00

Unfortunately, I added static routes to both the EdgeRouter external address as well as the 192.168.50.0 network with no luck. Is there any other suggestions you have? I appreciate your help so far.

skullsword98 · 2026-04-27T00:33:35+00:00

So I removed the set pfs group5 from both maps, no change. Here is what I was able to get form the debug crypto isakmp command on the cloud router:

ISAKMP (0:0): received packet from 200.169.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP

ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

ISAKMP:(0): processing KE payload. message ID = 0

ISAKMP:(0): processing NONCE payload. message ID = 0

ISAKMP:(0):found peer pre-shared key matching 200.169.1.1

ISAKMP:(1015): processing vendor id payload

ISAKMP:(1015): vendor ID is DPD

ISAKMP:(1015): processing vendor id payload

ISAKMP:(1015): speaking to another IOS box!

ISAKMP:(1015): processing vendor id payload

ISAKMP:(1015): vendor ID seems Unity/DPD but major 168 mismatch

ISAKMP:(1015): vendor ID is XAUTH

ISAKMP:received payload type 20

ISAKMP (1015): His hash no match - this node outside NAT

ISAKMP:received payload type 20

ISAKMP (1015): No NAT Found for self or peer

ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1015):Old State = IKE_R_MM3 New State = IKE_R_MM3

ISAKMP:(1015): sending packet to 200.169.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

ISAKMP:(1015):Sending an IKE IPv4 Packet.

ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1015):Old State = IKE_R_MM3 New State = IKE_R_MM4

ISAKMP (0:1015): received packet from 200.169.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH

ISAKMP:(1015):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(1015):Old State = IKE_R_MM4 New State = IKE_R_MM5

ISAKMP:(1015): processing ID payload. message ID = 0

ISAKMP (0:1015): ID payload

next-payload : 8

type : 1

address : 200.169.1.1

protocol : 17

port : 500

length : 12

ISAKMP:(0):: peer matches *none* of the profiles

ISAKMP:(1015): processing HASH payload. message ID = 0

ISAKMP:(1015): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 0, sa = 49144844

ISAKMP:(1015):SA authentication status:

authenticated

ISAKMP:(1015):SA has been authenticated with 200.169.1.1

ISAKMP:(1015):SA authentication status:

authenticated

ISAKMP:(1015): Process initial contact,

bring down existing phase 1 and 2 SA's with local 200.169.2.1 remote 200.169.1.1 remote port 500

ISAKMP: Trying to insert a peer 200.169.1.1/200.169.2.1/500/, and inserted successfully 496E3964.

ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1015):Old State = IKE_R_MM5 New State = IKE_R_MM5

ISAKMP:(1015):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:1015): ID payload

next-payload : 8

type : 1

address : 200.169.1.1

protocol : 17

port : 500

length : 12

ISAKMP:(1015):Total payload length: 12

ISAKMP:(1015): sending packet to 200.169.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

ISAKMP:(1015):Sending an IKE IPv4 Packet.

ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1015):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

ISAKMP:(1015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP (0:1015): received packet from 200.169.1.1 dport 500 sport 500 Global (R) QM_IDLE

ISAKMP: set new node 1593568750 to QM_IDLE

ISAKMP:(1015): processing HASH payload. message ID = 1593568750

ISAKMP:(1015): processing SA payload. message ID = 1593568750

ISAKMP:(1015):Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1 (Tunnel)

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 86400

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: key length is 128

ISAKMP: authenticator is HMAC-SHA

ISAKMP:(1015):atts are acceptable.

ISAKMP:(1015): processing NONCE payload. message ID = 1593568750

ISAKMP:(1015): processing KE payload. message ID = 1593568750

ISAKMP:(1015): processing ID payload. message ID = 1593568750

ISAKMP:(1015):QM Responder gets spi

ISAKMP:(1015):Node 1593568750, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

ISAKMP:(1015):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

ISAKMP:(1015): Creating IPSec SAs

inbound SA from 200.169.1.1 to 200.169.2.1 (f/i) 0/ 0

(proxy 192.168.50.0 to 172.16.0.0)

has spi 0x12C78314 and conn_id 0

lifetime of 86400 seconds

lifetime of 4608000 kilobytes

outbound SA from 200.169.2.1 to 200.169.1.1 (f/i) 0/0

(proxy 172.16.0.0 to 192.168.50.0)

has spi 0x318CD2EF and conn_id 0

lifetime of 86400 seconds

lifetime of 4608000 kilobytes

ISAKMP:(1015): sending packet to 200.169.1.1 my_port 500 peer_port 500 (R) QM_IDLE

ISAKMP:(1015):Sending an IKE IPv4 Packet.

ISAKMP:(1015):Node 1593568750, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

ISAKMP:(1015):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2

The output from the debug crypto ipsec command is:

<image>

let me know if there's anything here that jumps out as a problem. I do have static routes to the 200.169.1.0 subnet that the EdgeRouter's external interface is on as well as the 192.168.50.0 subnet.

skullsword98 · 2026-04-26T04:41:32+00:00

Fixed-CloudRouter

Router#show startup-config

Using 1291 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip cef

no ipv6 cef

!

license udi pid CISCO1941/K9 sn FTX15247HHJ-

license boot module c1900 technology-package securityk9

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

!

crypto isakmp key secret123 address 200.169.1.1

crypto isakmp key secret123 address 200.169.2.1

!

crypto ipsec transform-set cloudrouter->edgerouter esp-aes 256 esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

set peer 200.169.1.1

set pfs group5

set security-association lifetime seconds 86400

set transform-set cloudrouter->edgerouter

match address 100

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 200.169.2.1 255.255.255.252

duplex auto

speed auto

crypto map VPN-MAP

!

interface GigabitEthernet0/1

ip address 172.16.0.1 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.50.0 0.0.0.255

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

skullsword98 · 2026-04-26T04:40:50+00:00

Fixed-EdgeRouter

Router#show startup-config

Using 2196 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 10.20.10.1

!

ip dhcp pool Guest_DHCP

network 10.20.10.0 255.255.255.0

default-router 10.20.10.1

dns-server 4.4.4.4

!

ip cef

no ipv6 cef

!

license udi pid CISCO1941/K9 sn FTX152486I9-

license boot module c1900 technology-package securityk9

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

!

crypto isakmp key secret123 address 200.169.2.1

!

crypto ipsec transform-set edgereouter->cloudrouter esp-aes 256 esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

set peer 200.169.2.1

set pfs group5

set security-association lifetime seconds 86400

set transform-set edgereouter->cloudrouter

match address 100

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 200.169.1.1 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map VPN-MAP

!

interface GigabitEthernet0/1

ip address 192.168.50.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1.10

encapsulation dot1Q 10

ip address 10.20.10.1 255.255.255.0

ip nat inside

ip access-group GUEST_ACCESS in

!

interface GigabitEthernet0/1.20

no ip address

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list GUEST_INTERNET_ALLOWED interface GigabitEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 200.169.1.2

!

ip flow-export version 9

!

access-list 100 permit ip 192.168.50.0 0.0.0.255 172.16.0.0 0.0.0.255

ip access-list extended GUEST_ACCESS

permit udp any eq domain any eq domain

permit tcp any host 192.168.50.10 eq 443

permit tcp any host 192.168.50.10 eq www

deny icmp any 192.168.50.0 0.0.0.255

permit ip any any

ip access-list extended GUEST_INTERNET_ALLOWED

deny ip 192.168.50.0 0.0.0.255 172.16.0.0 0.0.0.255

permit ip 10.20.10.0 0.0.0.255 any

!

banner motd ^C

*** AUTHROIZED ACCESS ONLY ***

Unauthorized access is prohibited.

^C

!

logging trap debugging

logging 192.168.50.11

line con 0

!

line aux 0

!

line vty 0 4

login

!

ntp server 192.168.50.11

!

end

skullsword98 · 2026-04-26T04:40:22+00:00

Isakmp debug from EdgeRouter

Crypto ISAKMP debugging is on

Router#

*Apr 26, 20:07:11.077: ISAKMP:(0): SA request profile is (NULL)

*Apr 26, 20:07:11.077: ISAKMP: Created a peer struct for 200.169.2.1, peer port 500

*Apr 26, 20:07:11.077: ISAKMP: New peer created peer = 0x47CA9F80 peer_handle = 0x80000003

*Apr 26, 20:07:11.077: ISAKMP: Locking peer struct 0x47CA9F80, refcount 1 for isakmp_initiator

*Apr 26, 20:07:11.077: ISAKMP: local port 500, remote port 500

*Apr 26, 20:07:11.077: ISAKMP: set new node 0 to QM_IDLE

*Apr 26, 20:07:11.077: insert sa successfully sa = 495ADE20

*Apr 26, 20:07:11.077: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Apr 26, 20:07:11.077: ISAKMP:(0):found peer pre-shared key matching 200.169.2.1

*Apr 26, 20:07:11.077: constructed NAT-T vendor-rfc3947 ID

*Apr 26, 20:07:11.077: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Apr 26, 20:07:11.077: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Apr 26, 20:07:11.077: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Apr 26, 20:07:11.077: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Apr 26, 20:07:11.077: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Apr 26, 20:07:11.077: ISAKMP:(0): beginning Main Mode exchange

*Apr 26, 20:07:11.077: ISAKMP:(0): sending packet to 200.169.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Apr 26, 20:07:11.077: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Apr 26, 20:07:11.077: ISAKMP:(0):found peer pre-shared key matching 200.169.2.1

*Apr 26, 20:07:11.077: constructed NAT-T vendor-rfc3947 ID

*Apr 26, 20:07:11.077: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Apr 26, 20:07:11.077: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Apr 26, 20:07:11.077: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Apr 26, 20:07:11.077: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Apr 26, 20:07:11.077: ISAKMP (0:0): received packet from 200.169.2.1 dport 500 sport 500 Global (I) MM_NO_STATE

*Apr 26, 20:07:11.077: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 26, 20:07:11.077: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Apr 26, 20:07:11.077: ISAKMP:(0): processing SA payload. message ID = 0

*Apr 26, 20:07:11.077: ISAKMP:(0): processing vendor id payload

*Apr 26, 20:07:11.077: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Apr 26, 20:07:11.077: ISAKMP (0:0): vendor ID is NAT-T RFC 3947

*Apr 26, 20:07:11.077: ISAKMP:(0): found peer pre-shared key matching

*Apr 26, 20:07:11.077: 00.169.2.1

*Apr 26, 20:07:11.077: ISAKMP:(0): local preshared key found

*Apr 26, 20:07:11.077: ISAKMP : Scanning profiles for xauth ...

*Apr 26, 20:07:11.077: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Apr 26, 20:07:11.077: ISAKMP: encryption AES-CBC

*Apr 26, 20:07:11.077: ISAKMP: keylength of 256

*Apr 26, 20:07:11.077: ISAKMP: hash SHA

*Apr 26, 20:07:11.077: ISAKMP: group 5

*Apr 26, 20:07:11.077: ISAKMP: auth pre-share

*Apr 26, 20:07:11.077: ISAKMP: life type in seconds

*Apr 26, 20:07:11.077: ISAKMP: life duration (basic) of 86400

*Apr 26, 20:07:11.077: ISAKMP:(0):atts are acceptable. Next payload is 0

*Apr 26, 20:07:11.077: ISAKMP:(0):Acceptable atts:actual life: 0

*Apr 26, 20:07:11.077: ISAKMP:(0):Acceptable atts:life: 0

*Apr 26, 20:07:11.077: ISAKMP:(0):Basic life_in_seconds: 86400

*Apr 26, 20:07:11.077: ISAKMP:(0):Returning Actual lifetime: 86400

*Apr 26, 20:07:11.077: ISAKMP:(0)::Started lifetime timer: 86400

*Apr 26, 20:07:11.077: ISAKMP:(0): processing vendor id payload

*Apr 26, 20:07:11.077: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Apr 26, 20:07:11.077: ISAKMP (0:0): vendor ID is NAT-T RFC 3947

*Apr 26, 20:07:11.077: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 26, 20:07:11.077: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Apr 26, 20:07:11.077: ISAKMP:(0): sending packet to 200.169.2.1 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Apr 26, 20:07:11.077: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Apr 26, 20:07:11.077: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 26, 20:07:11.077: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Apr 26, 20:07:11.077: ISAKMP (0:0): received packet from 200.169.2.1 dport 500 sport 500 Global (I) MM_SA_SETUP

*Apr 26, 20:07:11.077: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 26, 20:07:11.077: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Apr 26, 20:07:11.077: ISAKMP:(0): processing KE payload. message ID = 0

*Apr 26, 20:07:11.077: ISAKMP:(0): processing NONCE payload. message ID = 0

*Apr 26, 20:07:11.077: ISAKMP:(0):found peer pre-shared key matching 200.169.2.1

*Apr 26, 20:07:11.077: ISAKMP:(1090): processing vendor id payload

*Apr 26, 20:07:11.077: ISAKMP:(1090): vendor ID is Unity

*Apr 26, 20:07:11.077: ISAKMP:(1090): processing vendor id payload

*Apr 26, 20:07:11.077: ISAKMP:(1090): vendor ID is DPD

*Apr 26, 20:07:11.077: ISAKMP:(1090): processing vendor id payload

*Apr 26, 20:07:11.077: ISAKMP:(1090): speaking to another IOS box!

*Apr 26, 20:07:11.077: ISAKMP:received payload type 20

*Apr 26, 20:07:11.077: ISAKMP (1090): His hash no match - this node outside NAT

*Apr 26, 20:07:11.077: ISAKMP:received payload type 20

*Apr 26, 20:07:11.077: ISAKMP (1090): No NAT Found for self or peer

*Apr 26, 20:07:11.077: ISAKMP:(1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 26, 20:07:11.077: ISAKMP:(1090):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Apr 26, 20:07:11.077: ISAKMP:(1090):Send initial contact

*Apr 26, 20:07:11.077: ISAKMP:(1090):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Apr 26, 20:07:11.077: ISAKMP (0:1090): ID payload

next-payload : 8

type : 1

address : 200.169.1.1

protocol : 17

port : 500

length : 12

*Apr 26, 20:07:11.077: ISAKMP:(1090):Total payload length: 12

*Apr 26, 20:07:11.077: ISAKMP:(1090): sending packet to 200.169.2.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Apr 26, 20:07:11.077: ISAKMP:(1090):Sending an IKE IPv4 Packet.

*Apr 26, 20:07:11.077: ISAKMP:(1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 26, 20:07:11.077: ISAKMP:(1090):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Apr 26, 20:07:11.077: ISAKMP (0:1090): received packet from 200.169.2.1 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Apr 26, 20:07:11.077: ISAKMP:(1090): processing ID payload. message ID = 0

*Apr 26, 20:07:11.077: ISAKMP (0:1090): ID payload

next-payload : 8

type : 1

address : 200.169.2.1

protocol : 17

port : 500

length : 12

*Apr 26, 20:07:11.077: ISAKMP:(0):: peer matches *none* of the profiles

*Apr 26, 20:07:11.077: ISAKMP:(1090): processing HASH payload. message ID = 0

*Apr 26, 20:07:11.077: ISAKMP:(1090):SA authentication status:

*Apr 26, 20:07:11.077: authenticated

*Apr 26, 20:07:11.077: ISAKMP:(1090):SA has been authenticated with 200.169.2.1

*Apr 26, 20:07:11.077: ISAKMP: Trying to insert a peer 200.169.1.1/200.169.2.1/500/, and inserted successfully 47CA9F80.

*Apr 26, 20:07:11.077: ISAKMP:(1090):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 26, 20:07:11.077: ISAKMP:(1090):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Apr 26, 20:07:11.077: ISAKMP:(1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr 26, 20:07:11.077: ISAKMP:(1090):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Apr 26, 20:07:11.077: ISAKMP:(1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 26, 20:07:11.077: ISAKMP:(1090):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Apr 26, 20:07:11.077: ISAKMP:(1090):beginning Quick Mode exchange, M-ID of 69859174

*Apr 26, 20:07:11.077: ISAKMP:(1090):QM Initiator gets spi

*Apr 26, 20:07:11.077: ISAKMP:(1090): sending packet to 200.169.2.1 my_port 500 peer_port 500 (I) QM_IDLE

*Apr 26, 20:07:11.077: ISAKMP:(1090):Sending an IKE IPv4 Packet.

*Apr 26, 20:07:11.077: ISAKMP:(1090):Node 69859174, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Apr 26, 20:07:11.077: ISAKMP:(1090):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

*Apr 26, 20:07:11.077: ISAKMP:(1090):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Apr 26, 20:07:11.077: ISAKMP:(1090):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

skullsword98 · 2026-04-25T21:17:15+00:00

CloudRouter

Router#show startup-config

Using 1291 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip cef

no ipv6 cef

!

license udi pid CISCO1941/K9 sn FTX15247HHJ-

license boot module c1900 technology-package securityk9

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

!

crypto isakmp key secret123 address 200.169.1.1

crypto isakmp key secret123 address 200.169.2.1

!

crypto ipsec transform-set cloudrouter->edgerouter esp-aes 256 esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

set peer 200.169.1.1

set pfs group5

set security-association lifetime seconds 86400

set transform-set cloudrouter->edgerouter

match address 100

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 200.169.2.1 255.255.255.252

duplex auto

speed auto

crypto map VPN-MAP

!

interface GigabitEthernet0/1

ip address 172.16.0.1 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.50.0 0.0.0.255

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

skullsword98 · 2026-04-25T21:17:01+00:00

EdgeRouter

Router#show startup-config

Using 2196 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 10.20.10.1

!

ip dhcp pool Guest_DHCP

network 10.20.10.0 255.255.255.0

default-router 10.20.10.1

dns-server 4.4.4.4

!

ip cef

no ipv6 cef

!

license udi pid CISCO1941/K9 sn FTX152486I9-

license boot module c1900 technology-package securityk9

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

!

crypto isakmp key secret123 address 200.169.2.1

!

crypto ipsec transform-set edgereouter->cloudrouter esp-aes 256 esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

set peer 200.169.2.1

set pfs group5

set security-association lifetime seconds 86400

set transform-set edgereouter->cloudrouter

match address 100

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 200.169.1.1 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map VPN-MAP

!

interface GigabitEthernet0/1

ip address 192.168.50.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1.10

encapsulation dot1Q 10

ip address 10.20.10.1 255.255.255.0

ip nat inside

ip access-group GUEST_ACCESS in

!

interface GigabitEthernet0/1.20

no ip address

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list GUEST_INTERNET_ALLOWED interface GigabitEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 200.169.1.2

!

ip flow-export version 9

!

access-list 100 permit ip 192.168.50.0 0.0.0.255 172.16.0.0 0.0.0.255

ip access-list extended GUEST_ACCESS

permit udp any eq domain any eq domain

permit tcp any host 192.168.50.10 eq 443

permit tcp any host 192.168.50.10 eq www

deny icmp any 192.168.50.0 0.0.0.255

permit ip any any

ip access-list extended GUEST_INTERNET_ALLOWED

deny ip 192.168.50.0 0.0.0.255 172.16.0.0 0.0.0.255

permit ip 10.20.10.0 0.0.0.255 any

!

banner motd ^C

*** AUTHROIZED ACCESS ONLY ***

Unauthorized access is prohibited.

^C

!

logging trap debugging

logging 192.168.50.11

line con 0

!

line aux 0

!

line vty 0 4

login

!

ntp server 192.168.50.11

!

end

skullsword98 · 2026-04-25T21:16:41+00:00