Example IPsec configuration for Cisco ISR

This topic provides example IPsec configurations that needs to done on Cisco ISR to route http and https traffic to Forcepoint ONE SSE via IPsec tunnels.

This example configurations use Virtual Tunnel Interfaces (VTI) method.

crypto ikev2 proposal FONE_proposal
encryption aes-cbc-256
integrity sha256
group 19
exit

crypto ikev2 policy FONE_policy
proposal FONE_proposal
exit

crypto ikev2 keyring FONE_keyring
peer gateway1
hostname qac1-qa-acme.com-3.oh.us.vpn.dev.msvokxavdlwatqovcwze.com
If you want to use the IP address of the primary IPsec tunnel instead of cloud FQDN, then use the corresponding line:
address 3.141.173.255
pre-shared-key Q9YN4gv1jFeFjjyOxuDPZtId4DZC4dYa
peer gateway2
hostname qac1-qa-acme.com-1.sg.vpn.dev.msvokxavdlwatqovcwze.com
If you want to use the IP address of the secondary IPsec tunnel instead of cloud FQDN, then use the corresponding line:
address 13.250.218.49
pre-shared-key Q9YN4gv1jFeFjjyOxuDPZtId4DZC4dYa
exit
exit

crypto ikev2 profile FONE_profile
match identity remote fqdn qac1-qa-acme.com-3.oh.us.vpn.dev.msvokxavdlwatqovcwze.com
match identity remote fqdn qac1-qa-acme.com-1.sg.vpn.dev.msvokxavdlwatqovcwze.com
identity local fqdn isr.azure.com
If you want to use a local IKE ID of type IP address, you can replace the corresponding line as follows:
identity local address 20.228.84.74
authentication local pre-share
authentication remote pre-share
keyring local FONE_keyring
exit

crypto ipsec transform-set FONE_set esp-aes esp-sha256-hmac
exit

access-list 120 permit tcp 192.168.122.0 0.0.0.255 any eq www
access-list 120 permit tcp 192.168.122.0 0.0.0.255 any eq 443

crypto ipsec profile FONE_forcepoint
set transform-set FONE_set
set ikev2-profile FONE_profile
exit

interface Tunnel0
ip address 192.168.254.1 255.255.255.252
tunnel source 20.228.84.74
tunnel mode ipsec ipv4
tunnel destination 3.141.173.255
tunnel protection ipsec profile FONE_forcepoint
exit

interface Tunnel1
ip address 192.168.254.5 255.255.255.252
tunnel source 20.228.84.74
tunnel mode ipsec ipv4
tunnel destination 13.250.218.49
tunnel protection ipsec profile FONE_forcepoint
exit

route-map Active_tunnel permit 10
match ip address 120
set ip next-hop 192.168.254.2 192.168.254.6
exit

interface GigabitEthernet0/1
ip policy route-map Active_tunnel
exit