Пример настройки Route-based IPsec VPN между ESR и Cisco

esr# show running-config 

interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 203.0.113.2/30
exit
tunnel vti 1
  ip firewall disable
  local address 203.0.113.2
  remote address 203.0.113.6
  ip address 192.0.2.1/30
  enable
exit

security ike proposal IKE_proposal
  encryption algorithm aes128
  dh-group 2
exit

security ike policy IKE_policy
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKE_proposal
exit

security ike gateway IKE_gateway
  ike-policy IKE_policy
  mode route-based
  bind-interface vti 1
exit

security ipsec proposal IPsec_proposal
  encryption algorithm aes128
exit

security ipsec policy IPsec_policy
  proposal IPsec_proposal
exit

security ipsec vpn IPsec_VPN
  mode ike
  ike establish-tunnel route
  ike gateway IKE_gateway
  ike ipsec-policy IPsec_policy
  enable
exit

ip route 203.0.113.4/30 203.0.113.1

Конфиг:
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key password address 203.0.113.2
!
crypto ipsec transform-set ESR esp-aes esp-sha-hmac 
!
crypto ipsec profile IPsec_profile
 set transform-set ESR 
!
interface Tunnel2
 ip address 192.0.2.2 255.255.255.252
 ip ospf network broadcast
 ip ospf 1 area 0
 tunnel source 203.0.113.6
 tunnel mode ipsec ipv4
 tunnel destination 203.0.113.2
 tunnel protection ipsec profile IPsec_profile
!
interface FastEthernet0/0
 ip address 203.0.113.6 255.255.255.252
 speed auto
 full-duplex
!
ip route 203.0.113.0 255.255.255.252 203.0.113.5

esr# show security ipsec vpn status 
esr# 
esr# ping 192.0.2.2
PING 192.0.2.2 (192.0.2.2) 56 bytes of data.
!!
--- 192.0.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 1.890/1.927/1.964/0.037 ms

esr# show security ipsec vpn status 
Name                              Local host        Remote host       Initiator spi        Responder spi        State         
-------------------------------   ---------------   ---------------   ------------------   ------------------   -----------   
IPsec_VPN                         203.0.113.2       203.0.113.6       0x2ee3c5540c679db3   0x2dce49bead105d73   Established  

esr# show security ipsec vpn status IPsec_VPN 
Currently active IKE SA:
    Name:                      IPsec_VPN
    State:                     Established
    Version:                   v1-only
    Unique ID:                 1
    Local host:                203.0.113.2
    Remote host:               203.0.113.6
    Role:                      Responder
    Initiator spi:             0x2ee3c5540c679db3
    Responder spi:             0x2dce49bead105d73
    Encryption algorithm:      aes128
    Authentication algorithm:  sha1
    Diffie-Hellman group:      2
    Established:               3 minutes and 25 seconds ago
    Rekey time:                3 minutes and 25 seconds
    Reauthentication time:     2 hours, 45 minutes and 8 seconds
    Child IPsec SAs:
        Name:                      IPsec_VPN-2
        State:                     Installed
        Protocol:                  esp
        Mode:                      Tunnel
        Encryption algorithm:      aes128
        Authentication algorithm:  sha1
        Rekey time:                45 minutes and 44 seconds
        Life time:                 56 minutes and 35 seconds
        Established:               3 minutes and 25 seconds ago
        Traffic statistics: 
            Input bytes:           168
            Output bytes:          168
            Input packets:         2
            Output packets:        2
        -------------------------------------------------------------

Router#show crypto ipsec sa

interface: Tunnel2
    Crypto map tag: Tunnel2-head-0, local addr 203.0.113.6

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 203.0.113.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 203.0.113.6, remote crypto endpt.: 203.0.113.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xCEFAA52B(3472532779)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xAAF7EDE3(2868375011)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: FPGA:1, sibling_flags 80000046, crypto map: Tunnel2-head-0
        sa timing: remaining key lifetime (k/sec): (4500460/3560)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCEFAA52B(3472532779)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: FPGA:2, sibling_flags 80000046, crypto map: Tunnel2-head-0
        sa timing: remaining key lifetime (k/sec): (4500460/3560)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas: