! Configure directly connected neighbors with iBGP, Tunnels, and IKEv1
<code>hostname hub
!
ip access-list extended 110
 20 permit ip 172.16.0.4 0.0.0.3 172.16.0.4 0.0.0.3
!
crypto isakmp policy 10
 encryption aes
 authentication pre-share
 group 14
crypto isakmp key cisco address 172.16.0.6    
!
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile ikev1-profile
!
crypto map tst 10 ipsec-isakmp 
 set peer 172.16.0.6
 set transform-set esp-aes256-sha 
 match address 110
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
 ip address 10.0.0.1 255.255.255.252
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map 10.0.0.2 172.16.0.6
 ip nhrp network-id 1
 tunnel source GigabitEthernet4
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile ikev1-profile
!
interface GigabitEthernet4
 ip address 172.16.0.5 255.255.255.252
!
router bgp 65000
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 bgp listen range 10.0.0.0/24 peer-group tst
 no bgp default ipv4-unicast
 neighbor tst peer-group
 neighbor tst remote-as 65000
 !
 address-family ipv4
  network 1.1.1.1 mask 255.255.255.255
  neighbor tst activate
  neighbor tst route-reflector-client
 exit-address-family
!
hub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.0.5      172.16.0.6      QM_IDLE           1009 ACTIVE
!
hub#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 172.16.0.5

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.5/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.0.6/255.255.255.255/47/0)
   current_peer 172.16.0.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 155, #pkts encrypt: 155, #pkts digest: 155
    #pkts decaps: 137, #pkts decrypt: 137, #pkts verify: 137
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.0.5, remote crypto endpt.: 172.16.0.6
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet4
     current outbound spi: 0x4653287E(1179854974)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x35F947CD(905529293)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (4607981/1593)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4653287E(1179854974)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (4607985/1593)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:
          
     outbound pcp sas:
!
hub#show ip bgp summary
BGP router identifier 1.1.1.1, local AS number 65000
BGP table version is 7, main routing table version 7
2 network entries using 496 bytes of memory
2 path entries using 272 bytes of memory
2/2 BGP path/bestpath attribute entries using 576 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1344 total bytes of memory
BGP activity 4/2 prefixes, 4/2 paths, scan interval 60 secs
2 networks peaked at 16:20:39 Aug 25 2025 UTC (02:38:05.558 ago)

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
*10.0.0.2       4        65000      12      12        7    0    0 00:06:57        1
* Dynamically created based on a listen range command
Dynamically created neighbors: 1, Subnet ranges: 1

BGP peergroup tst listen range group members: 
  10.0.0.0/24 


Total dynamically created neighbors: 1/(100 max), Subnet ranges: 1
!
hub#show ip bgp | b Network
     Network          Next Hop            Metric LocPrf Weight Path
 *>   1.1.1.1/32       0.0.0.0                  0         32768 i
 *>i  3.3.3.3/32       10.0.0.2                 0    100      0 i
!
hub#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
# Note: packets will be ESP in Wireshark now. See screenshot 2025-08-25-1359.
-----------------------
hostname spoke1
!
ip access-list extended 110
 20 permit ip 172.16.0.4 0.0.0.3 172.16.0.4 0.0.0.3
!
crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 group 14
!         
crypto isakmp policy 20
 encryption aes 256
 authentication pre-share
 group 14
crypto isakmp key cisco address 172.16.0.5   
!
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile ikev1-profile
!
crypto map tst 10 ipsec-isakmp 
 set peer 172.16.0.5
 set transform-set esp-aes256-sha 
 match address 110
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel1
 ip address 10.0.0.2 255.255.255.252
 ip nhrp authentication cisco
 ip nhrp map 10.0.0.1 172.16.0.5
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1
 tunnel source GigabitEthernet4
 tunnel destination 172.16.0.5
 tunnel key 1
 tunnel protection ipsec profile ikev1-profile
!
interface GigabitEthernet4
 ip address 172.16.0.6 255.255.255.252
!
router bgp 65000
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.0.0.1 remote-as 65000
 !
 address-family ipv4
  network 3.3.3.3 mask 255.255.255.255
  neighbor 10.0.0.1 activate
 exit-address-family
!
spoke1#  show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.0.5      172.16.0.6      QM_IDLE           1009 ACTIVE
!
spoke1#  show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 172.16.0.6

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.0.5/255.255.255.255/47/0)
   current_peer 172.16.0.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 281, #pkts encrypt: 281, #pkts digest: 281
    #pkts decaps: 147, #pkts decrypt: 147, #pkts verify: 147
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.0.6, remote crypto endpt.: 172.16.0.5
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet4
     current outbound spi: 0x35F947CD(905529293)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4653287E(1179854974)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (4607980/1381)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x35F947CD(905529293)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
         sa timing: remaining key lifetime (k/sec): (4607978/1381)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:
!
spoke1#show ip bgp summary
BGP router identifier 3.3.3.3, local AS number 65000
BGP table version is 11, main routing table version 11
2 network entries using 496 bytes of memory
2 path entries using 272 bytes of memory
2/2 BGP path/bestpath attribute entries using 576 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1344 total bytes of memory
BGP activity 7/5 prefixes, 8/6 paths, scan interval 60 secs
2 networks peaked at 13:29:00 Aug 25 2025 UTC (05:32:36.132 ago)

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.1        4        65000      15      15       11    0    0 00:09:48        1
!
spoke1#  show ip bgp | b Network
     Network          Next Hop            Metric LocPrf Weight Path
 *>i  1.1.1.1/32       10.0.0.1                 0    100      0 i
 *>   3.3.3.3/32       0.0.0.0                  0         32768 i
!
spoke1#  ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms</code>