Here I’m going to show a basic configuration on how to Encrypt a 10G link that has a stretched subnet. The reason for this could be for PCI or HIPAA compliance. You need to make sure that the devices are FIPS 140-2 compliant. See the link below for all the Cisco devices that are compliant.
http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_fips140.html
Since there’s a 10G link I am using Cisco ASR 1004’s with 40-Gbps ESP modules on both ends. The 40-Gbps ESP module is the only one that supports a FULL 10G (http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/data_sheet_c78-450070.html).
The subnet that’s being stretched is 10.1.2.0/24.
DC A:
l2tp-class CORDERO-L2TPV3-CLASS retransmit retries 30 cookie size 8 pseudowire-class CORDERO-L2TPV3 encapsulation l2tpv3 protocol l2tpv3 CORDERO-L2TPV3-CLASS ip local interface TenGigabitEthernet0/1/0 ip pmtu crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key cisco address 10.1.2.1 no-xauth crypto ipsec transform-set CORDERO-TS esp-aes 256 esp-sha-hmac mode tunnel crypto map CORDERO-VPN 10 ipsec-isakmp set peer 10.1.2.1 set transform-set CORDERO-TS match address VPN interface TenGigabitEthernet0/0/0 description LAN SIDE mtu 9216 no ip address xconnect 10.1.2.1 1 encapsulation l2tpv3 pw-class CORDERO-L2TPV3 interface TenGigabitEthernet0/1/0 description WAN SIDE mtu 9216 ip address 10.1.2.2 255.255.255.0 crypto map CORDERO-VPN ip access-list extended VPN permit 115 any any
DC B:
l2tp-class CORDERO-L2TPV3-CLASS retransmit retries 30 cookie size 8 pseudowire-class CORDERO-L2TPV3 encapsulation l2tpv3 protocol l2tpv3 CORDERO-L2TPV3-CLASS ip local interface TenGigabitEthernet0/1/0 ip pmtu crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key cisco address 10.1.2.2 no-xauth crypto ipsec transform-set CORDERO-TS esp-aes 256 esp-sha-hmac mode tunnel crypto map CORDERO-VPN 10 ipsec-isakmp set peer 10.1.2.2 set transform-set CORDERO-TS match address VPN interface TenGigabitEthernet0/0/0 description LAN SIDE mtu 9216 no ip address xconnect 10.1.2.2 1 encapsulation l2tpv3 pw-class CORDERO-L2TPV3 interface TenGigabitEthernet0/1/0 description WAN SIDE mtu 9216 ip address 10.1.2.1 255.255.255.0 crypto map CORDERO-VPN ip access-list extended VPN permit 115 any any