Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Network Tunnel Configuration Configure Tunnels with NEC IX2000 Series Router Configure the NEC IX router

Last updated: Aug 07, 2025

Configure the NEC IX router

Follow these steps to connect the Cisco router to Secure Access.

  1. Configure the WAN and the LAN interface.
    interface GigaEthernet0.0
  description WAN1
  ip address <WAN ip-address>
  ip tcp adjust-mss auto

interface GigaEthernet1.0
  description LAN1
  ip address <LAN ip-address>
  2. Create an IKEv2 authentication.
    ikev2 authentication psk id rfc822-addr <sse-primary-tunnel-id (e.g. xxxx@xxxx-xxxx-sse.cisco.com)> key char <sse-tunnel-passphrase>
ikev2 authentication psk id rfc822-addr <sse-secondary-tunnel-id (e.g. xxxx@xxxx-xxxx-sse.cisco.com)> key char <sse-tunnel-passphrase>
  3. Create an IKEv2 profile.
    ikev2 profile SSE-primary
  child-lifetime 3600
  child-pfs off
  child-proposal enc aes-gcm-256-16
  child-proposal integrity sha1
  dpd interval 10
  local-authentication psk id rfc822-addr <sse-primary-tunnel-id (e.g. xxxx@xxxx-xxxx-sse.cisco.com)>
  sa-lifetime 14400
  sa-proposal enc aes-gcm-256-16
  sa-proposal dh 2048-bit 

ikev2 profile SSE-secondary
  child-lifetime 3600
  child-pfs off
  child-proposal enc aes-gcm-256-16
  child-proposal integrity sha1
  dpd interval 10
  local-authentication psk id rfc822-addr <sse-secondary-tunnel-id (e.g. xxxx@xxxx-xxxx-sse.cisco.com)>
  sa-lifetime 14400
  sa-proposal enc aes-gcm-256-16
  sa-proposal dh 2048-bit
  4. Create a tunnel interface.
    interface Tunnel0.0
  tunnel mode ipsec-ikev2
  ip address 169.254.0.4/31
  ip tcp adjust-mss 1280
  ikev2 connect-type auto
  ikev2 local-authentication id rfc822-addr <sse-primary-tunnel-id (e.g. xxxx@xxxx-xxxx-sse.cisco.com)>
  ikev2 nat-traversal keepalive 20
  ikev2 peer <sse_primary_dc_ip> 

interface Tunnel1.0
  tunnel mode ipsec-ikev2
  ip address 169.254.0.8/31
  ip tcp adjust-mss 1280
  ikev2 connect-type auto
  ikev2 local-authentication id rfc822-addr <sse-secondary-tunnel-id (e.g. xxxx@xxxx-xxxx-sse.cisco.com)>
  ikev2 nat-traversal keepalive 20
  ikev2 peer <sse_secondary_dc_ip>
  5. Create a BGP routing.
    router bgp <local AS number>
  neighbor 169.254.0.5 remote-as 64512
  neighbor 169.254.0.5 update-source Tunnel0.0
  neighbor 169.254.0.9 remote-as 64512
  neighbor 169.254.0.9 update-source Tunnel1.0
  address-family ipv4 unicast
    network <advertised route>
  6. Create two static routes for the BGP peer addresses.
    ip route 169.254.0.5/32(BGP peer address) Tunnel0.0
ip route 169.254.0.9/32(BGP peer address) Tunnel1.0
  7. Apply the IKEv2 outgoing interface to the tunnel interfaces.
    interface Tunnel0.0
  ikev2 outgoing-interface GigaEthernet0.0 <WAN next-hop-ip-address>
interface Tunnel1.0
  ikev2 outgoing-interface GigaEthernet0.0 <WAN next-hop-ip-address>
  8. Permit for tunnel establishment between sse dc ip addresses.
    ip access-list sse-ipsec permit ip src <sse_primary_dc_ip> dest any
ip access-list sse-ipsec permit ip src <sse_secondary_dc_ip> dest any
ip route <sse_primary_dc_ip> <WAN next-hop-ip-address>
ip route <sse_secondary_dc_ip> <WAN next-hop-ip-address>
interface GigaEthernet0.0
  ip filter sse-ipsec 1 in
Previous topic Configure Tunnels in Secure Access Next topic Test the NEC IX router Deployment