Copyright 2025 Fsas Technologies Inc
reference
https://www.fujitsu.com/jp/documents/products/network/router/sir/example/vpn-client/vpnclient_gx-guide.pdf


****************************************
 Si-R GX500 config
****************************************
access-list 111 permit udp any host 203.0.113.1 eq 500
access-list 111 permit udp any host 203.0.113.1 eq 4500
access-list 111 permit icmp any host 203.0.113.1
access-list 111 permit 50 any host 203.0.113.1
!
ip route 0.0.0.0 0.0.0.0 tunnel 1
ip local pool POOL1 192.168.100.200 192.168.100.250
!
logging buffer level informational
!
aaa authorization network CP1 local-group CONFIG1
!
crypto ipsec udp-encapsulation nat-t keepalive interval 60
!
crypto ipsec policy P2
 set pfs group2 group5 group14 group15
 set security-association lifetime seconds 3600
 set security-association transform-keysize aes 128 256 256
 set security-association transform esp-aes esp-sha-hmac esp-sha256-hmac
 set mtu 1454
 set mss auto
 set ip tos copy
 set ip df-bit 0
 set ip fragment post
 sa-up route
exit
!
crypto ipsec selector SELECTOR
 src 1 ipv4 any
 src 2 ipv6 any
 dst 1 ipv4 any
 dst 2 ipv6 any
exit
!
crypto isakmp keepalive interval 30
crypto isakmp log sa
crypto isakmp log session
crypto isakmp log negotiation-fail
!
crypto isakmp client configuration group CONFIG1
 pool POOL1
exit
!
crypto isakmp policy P1
 authentication pre-share
 encryption aes
 encryption-keysize aes 128 256 256
 group 2 5 14 15
 lifetime 86400
 hash sha sha-256 sha-384 sha-512
exit
!
crypto isakmp profile remote
 local-address 203.0.113.1
 set isakmp-policy P1
 set ipsec-policy P2
 keyring KEY1
 ike-version 2
 client configuration address respond
 isakmp authorization list CP1
exit
!
crypto session identification address
!
crypto keyring KEY1
 pre-shared-key host test1 key sir-key1
 pre-shared-key host test2 key sir-key2
exit
!
crypto map MAP1 ipsec-isakmp dynamic
 match address SELECTOR
 set isakmp-profile remote
exit
!
interface GigaEthernet 1/1
 channel-group 1
 speed-duplex auto
 media auto
 pppoe enable
exit
!
interface GigaEthernet 1/3
 channel-group 3
 speed-duplex auto
 media auto
exit
!
interface Port-channel 1
 mtu 1454
 mss 1414
exit
!
interface Port-channel 3
 ip address 192.168.100.1 255.255.255.0
exit
!
interface Tunnel 1
 ip access-group 111 in
 tunnel mode pppoe profile pppoe-profile
 pppoe interface gigaethernet 1/1
exit
!
pppoe profile pppoe-profile
 authentication accept chap
 account id-a@isp pwd-a@isp
exit
!
end