# Cisco

## Step 1 - Creating a new branch connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Branch at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration (Default preset):**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of your Cisco
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 16 - modp4096
* **Diffie-Hellman Groups (Phase 2)** - 16 - modp4096
  {% endhint %}

## Step 2 - Creating a new IPSec profile

Log in to your Cisco device, and go to **VPN** > **IPSec Profiles**. Click **Add** to create a new profile.

Give the profile a name and set the configuration as follows:

* **Keying mode** - Auto
* **IKE Version** - IKEv2
* **Phase I & II Options** - Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection)

Click **Apply** to confirm your settings.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FAuCwDmuwfTKnJrLMtLep%2FBranch%20Connector%20guides%20-%20Cisco_2.PNG?alt=media&#x26;token=aadb47fa-c9a6-4559-b86c-02b846320821" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to creating a new IPSec profile."><figcaption><p>Creating a new IPSec profile</p></figcaption></figure>

## Step 3 - Creating a new site-to-site connection

Go to **VPN** > **Site-to-Site**. Click the **Add** button to create a new connection.

Give the connection a name and set the configuration as follows:

* **IPSec Profile** - Select the profile you just created [(Step 2)](#step-2-creating-a-new-ipsec-profile)
* **Remote Endpoint** - Select Static IP and enter the IP of your GoodAccess Gateway

#### Local/Remote IKE Authentication Method

* **Pre-shared Key** - Shared Secret from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection)

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FJ44R4hCQ1P3kdlxheZoq%2FBranch%20Connector%20guides%20-%20Cisco_3.PNG?alt=media&#x26;token=c531ca26-2bd7-4cd8-b5f5-a83eb3602bcc" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to creating a new site-to-site connection."><figcaption><p>Creating a new site-to-site connection</p></figcaption></figure>

### **Local Group Setup**

* **Local Identifier Type** - Local WAN IP
* **Local Identifier** - Your public IP
* **Local IP Type** - Subnet
* **IP Address** - IP of your network
* **Subnet Mask** - Your Subnet Mask

### **Remote Group Setup**

* **Remote Identifier Type** - Remote WAN IP
* **Remote Identifier** - IP of your GoodAccess Gateway
* **Remote IP Type** - Subnet
* **IP Address** - Subnet of your GoodAccess Gateway
* **Subnet Mask** - Subnet Mask of your GoodAccess Gateway

Don't forget to **Apply** changes.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Ffr1zKRc4GUWqhDSQ6VTx%2FBranch%20Connector%20guides%20-%20Cisco_4.PNG?alt=media&#x26;token=a12c1bf8-02d5-4b68-bf9c-2ffe021dba85" alt="Router&#x27;s graphical user interface (GUI) showing configuration for the Local &#x26; Remote Group Setup sections of a site-to-site connection."><figcaption><p>Setting up the local &#x26; remote group setup of a site-to-site connection</p></figcaption></figure>

You have now successfully connected your device to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports:

* **UDP 500**
* **UDP 4500**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **Cisco:** Go to **VPN > Site-to-Site > Status > VPN Status**.
  {% endhint %}

## Step 4 (optional) - Enabling DPD

Switch to **Advanced Setup** and **enable DPD (Dead Peer Detection)**.

Click **Apply** to confirm your settings.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Fkh5OwiY79g0LlWRTlZtv%2FBranch%20Connector%20guides%20-%20Cisco_5.PNG?alt=media&#x26;token=04a81d12-397e-47c4-b512-239273e8d262" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to enabling Dead Peer Detection (DPD) for a site-to-site connection."><figcaption><p>Setting up DPD (Dead Peer Detection)</p></figcaption></figure>

## Step 5 (optional) - Saving the configuration

Click on the **Red floppy disk** icon to access **Configuration Management**, and click on **Apply**.

{% hint style="info" %}
By saving the configuration, you prevent the risk of losing your IPsec configuration even if the router reboots or loses power.
{% endhint %}

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F8JFlGvKBytp944sUtTgQ%2FBranch%20Connector%20guides%20-%20Cisco_6.PNG?alt=media&#x26;token=4ef4ef3a-b393-4f1c-8181-3a0d6318f5f0" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to saving the configuration."><figcaption><p>Saving the configuration</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.goodaccess.com/configuration-guides/branch-connector/cisco.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.