Posts

FlexVPN – Part 2

-Proposal ==>Dephi Helman Group – Encryption – Integrity
-Policy
-Profile (match), (keyring)

show crypto ikev2 proposal default
show crypto ikev2 policy default
show crypto ikev2 transform-set default
show crypto ipsec profile default

Changing the default proposal

(config)# crypto ikev2 proposal default
(config-ikev2-proposal)# encryption aes-cbc-256
(config-ikev2-proposal)# integrity sha256
(config-ikev2-proposal)# group 2

revert back the default proposal
(config)# default crypto ikev2 proposal

R1–>25.0.0.1
——————–

(config)# crypto ikev2 proposal default
(config-ikev2-proposal)# encryption aes-cbc-256
(config-ikev2-proposal)# integrity sha256
(config-ikev2-proposal)# group 2

(config)# crypto ikev2 keyring Our-keys
# peers R2
# address 25.0.0.2
# identity address 25.0.0.2
# pre-shared-key local cisco123
# pre-shared-key remote cisco 123

(config)# crypto ikev2 profile default
# match identity remote address 25.0.0.2
# identity local address 25.0.0.1
# authentication local pre-share
# authentication remote pre-share
# keyring local Our-keys
# lifetime 7200

(config)# crypto ipsec transform-set default esp-gcm 256

(config)# crypto ipsec profile default
#set pfs group20

(config)# int tunnel 5
#tunnel mode ipsec ipv4
#ip unnumbered loop 0
# tunnel source e0/0
# tunnel destination 25.0.0.2
# tunnel protection ipsec profile default

R2–>25.0.0.2
——————–

(config)# crypto ikev2 proposal default
(config-ikev2-proposal)# encryption aes-cbc-256
(config-ikev2-proposal)# integrity sha256
(config-ikev2-proposal)# group 2

(config)# crypto ikev2 keyring Our-keys
# peers R1
# address 25.0.0.1
# identity address 25.0.0.1
# pre-shared-key local cisco123
# pre-shared-key remote cisco 123

(config)# crypto ikev2 profile default
# match identity remote address 25.0.0.1
# identity local address 25.0.0.2
# authentication local pre-share
# authentication remote pre-share
# keyring local Our-keys
# lifetime 7200

(config)# crypto ipsec transform-set default esp-gcm 256

(config)# crypto ipsec profile default
#set pfs group20

(config)# int tunnel 5
#tunnel mode ipsec ipv4
#ip unnumbered loop 0
# tunnel source e0/0
# tunnel destination 25.0.0.1
# tunnel protection ipsec profile default

FlexVPN: IKEV2 – Part 1

FlexVPN = IKEV2 + NGE(Next Generation Encryption)
IKEV1 = phase 1 => negotiate
phase 2 => IPSec Tunnel

IKEV2 => Initial neogtiation + IPSec Tunnel
=> proposals, key ring, policy, profile

#show crypto ikev2 proposal default
#show crypto ikev2 policy default

(config)# crypto ikev2 keyring HRT-keyring
peer container1
address 192.168.10.2
identity fqdn r2.test.local
pre-shared-key local cisco
pre-shared-key remote cisco123

(config)# crypto ikev2 profile HRT-profile
match identity remote fqdn r2.test.local
identity local fqdn r1.test.local
authentication local pre-share
authentication remote pre-share
keyring local HRT-keyring

(config)# crypto ipsec profile default
# set ikev2-profile HRT-profile

(config)# int tunnel 3
# tunnel source gi0/0
# tunnel destination 192.168.10.2
# tunnel mode ipsec ipv4
# tunnel protection ipsec profile default


(config)# crypto ikev2 keyring HRT-keyring
peer container1
address 192.168.10.1
identity fqdn r1.test.local
pre-shared-key local cisco123
pre-shared-key remote cisco

(config)# crypto ikev2 profile HRT-profile
match identity remote fqdn r1.test.local
identity local fqdn r2.test.local
authentication local pre-share
authentication remote pre-share
keyring local HRT-keyring

(config)# crypto ipsec profile default
# set ikev2-profile HRT-profile

(config)# int tunnel 3
# tunnel source gi0/0
# tunnel destination 192.168.10.1
# tunnel mode ipsec ipv4
# tunnel protection ipsec profile default

 

#show crypto ikev2 sa

#show crypto engine active connections