Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Network Tunnel Configuration Configure Tunnels with Cisco ISR Configure ISR (G2, 4K) or CSR

Last updated: Aug 07, 2025

Configure ISR (G2, 4K) or CSR

Follow these steps to connect the Cisco router to Secure Access.

  1. Configure the IKEv2 proposal.

    ISR routers support a default proposal and policy for IKEv2, with a predefined encryption, integrity, and DH group. These values change across different software versions. You can either use the default proposal or you can create your own proposal. Your proposal needs to be attached to the policy with matching parameters. Create an IKEv2 keyring profile and configure the peer address and pre-shared key, associate the keyring profile to the IKEv2 profile, set the local identity as email and configure the IKE ID (email) which you get from the Tunnel Configuration dashboard.

    For example, the default IKE proposal of an ISR running 16.11.01a:

    ISR-4221#sh ver
Cisco IOS XE Software, Version 16.11.01a

ISR-4221#show crypto ikev2 proposal sse-prop
 IKEv2 proposal: sse-prop 
     Encryption : AES-GCM-256
     Integrity  : none
     PRF        : SHA256
     DH Group   : DH_GROUP_256_ECP/Group 19 DH_GROUP_384_ECP/Group 20
  2. Define the IKEv2 Keyring and IKEv2 profile.

    Create your IKEv2 keyring and IKEv2 profile with the [sse_dc_ip] of the Secure Access data center closest to your location. Then associate the IKEv2 keyring to the IKEv2 profile.

    Replace [Portal_Tunnel_ID] and [Portal_Tunnel_Passphrase] with the Tunnel ID and Passphrase you configured in section Add Network Tunnel Group.

    crypto ikev2 keyring sse-kr
  peer sse
  address \[sse_dc_ip\]
  pre-shared-key \[sse-tunnel-psk\]
!
crypto ikev2 profile sse-profile
  match identity remote address \[enter the specific DC IP from the tunnel group in Secure Access\] 
  identity local email \[sse-email\]
  authentication remote pre-share
  authentication local pre-share
  keyring local sse-kr
  dpd 10 3 periodic
!
  3. Define the IPSec transform-set, profile, and policy.

    Create the transform-set and IPsec profile. Then associate the transform-set and IKEv2 Profile with the IPSec profile. Refer to Supported IPsec Parameters for the recommended algorithms.

    crypto ipsec transform-set sse-ts esp-gcm 256 
mode tunnel

crypto ipsec profile sse
 set transform-set sse-ts
 set ikev2-profile sse-profile

crypto ikev2 policy sse
 match address local \[Router_WAN_IP\]
 proposal sse-proposal
  4. Create the tunnel interface.

    Define the static tunnel interface with the peer IP as the Secure Access VPN headend IP and associate the IPsec profile under the tunnel. Make sure the tunnel interface does not contain NAT related commands; traffic sent to Secure Access should not have NAT applied.

    interface Tunnel1
 ip unnumbered \[interface-name\]
 ip tcp adjust-mss 1350
 tunnel source \[interface-name\]
 tunnel mode ipsec ipv4
 tunnel destination \[sse_dc_ip\]
 tunnel protection ipsec profile sse
  5. Configure routing rules.

    Define the traffic which needs to be tunneled to the CDFW. Based on the requirements, these ACL rules can be modified.

    The route-map needs to be associated with the LAN interface of the router where the device receives the traffic.

    In the following examples, 192.168.20.0/24 is the LAN subnet, and GigabitEthernet is the LAN interface.

    ip access-list extended traffic-to-sse
  permit ip \[lan-ip\] any
!
route-map sse-route-map permit 10
  match ip address traffic-to-sse
  set interface Tunnel1
!
interface GigabitEthernet \[lan-interface-name\]
 ip policy route-map sse-route-map
Previous topic Configure Tunnels in Secure Access Next topic Test Your Configuration