Configuration example for an IPsec tunnel using default settings (site-to-site VPN)

An IPsec tunnel is configured by binding an IPsec profile to the virtual tunnel interface (VTI) at each end of the IPsec tunnel. When the default settings for the IPsec profile are used, minimal configuration is needed to establish the tunnel.

Figure 1. Deployment of IPsec using the default settings

In the following example, Router1 and Router2 are the devices at each end of the tunnel. On each device, an IPsec profile (profA) is created and bound to the VTI by using the tunnel protection ipsec profile command.

Note: By default, an IPsec profile has the following settings:
  • IKEv2 profile: def-ike-profile
  • IPsec proposal: def-ipsec-prop


Router1(config)# ipsec profile profA
Router1(config-ipsec-profile-profA)# exit

Router1(config)# Interface tunnel 20
Router1(config-tnif-20)# tunnel mode ipsec ipv4
Router1(config-tnif-20)# tunnel protection ipsec profile profA
Router1(config-tnif-20)# tunnel source
Router1(config-tnif-20)# tunnel destination
Router1(config-tnif-20)# ip address
Router1(config-tnif-20)# exit


Router2(config)# ipsec profile profA
Router2(config-ipsec-profile-profA)# exit

Router2(config)# Interface tunnel 20
Router2(config-tnif-20)# tunnel mode ipsec ipv4
Router2(config-tnif-20)# tunnel protection ipsec profile profA
Router2(config-tnif-20)# tunnel source
Router2(config-tnif-20)# tunnel destination
Router2(config-tnif-20)# ip address
Router2(config-tnif-20)# exit