Posts

DVTI on Hub-Spoke IKEV2

R1
—————–
(config)#crypto pki certificate map CAMP 1
#issuer-name co talebi

(config)# default crypto ikev2 proposal
(config)# crypto ikev2 proposal default
# encryption aes-cbc-256
# integrity sha256
# group 14

(config)# default crypto ikev2 policy

(config)# crypto ikev2 profile IKEV2-Profile
# identity local dn
# match certificate CMAP
# authentication remote rsa-sig
# authentication local rsa-sig
# pki trustpoint Trusted-cA
# virtual-template 1

(config)# default crypto ipsec transform-set

(config)# crypto ipsec transform-set default esp-gcm 256

(config)# default crypto ipsec profile
(config)# crypto ipsec profile default
(config)# set ikev2-profile IKEV2-Profile
(config)# interface virtual-template 1 type tunnel
#ip unnumbered loop 0
#tunnel source eth0/0
#tunnel mode ipsec ipv4
#tunnel protection ipsec profile default
#ip ospf 1 area 0

R2
—————–
(config)#crypto pki certificate map CAMP 1
#issuer-name co talebi

(config)# default crypto ikev2 proposal
(config)# crypto ikev2 proposal default
# encryption aes-cbc-256
# integrity sha256
# group 14

(config)# default crypto ikev2 policy

(config)# crypto ikev2 profile IKEV2-Profile
# identity local dn
# match certificate CMAP
# authentication remote rsa-sig
# authentication local rsa-sig
# pki trustpoint Trusted-cA

(config)# default crypto ipsec transform-set

(config)# crypto ipsec transform-set default esp-gcm 256

(config)# default crypto ipsec profile
(config)# crypto ipsec profile default
(config)# set ikev2-profile IKEV2-Profile

(config)# interface Tunnel0
#ip unnumbered loop 0
#tunnel source eth0/0
#tunnel destination 15.0.0.1
#tunnel mode ipsec ipv4
#tunnel protection ipsec profile default
#ip ospf 1 area 0

Verify your tunnel
—————-
#show crypto engine connections active
#show crypto ikev2 sa

Troubleshooting

—————-

show crypto ikev2 stats
show crypto ikev2 stats exchange
show crypto ikev2 proposal
show crypto ipsec profile
show crypto ipsec sa
show crypto session

/by

FlexVPN: IKEV2 – Part 1

FlexVPN = IKEV2 + NGE(Next Generation Encryption)
IKEV1 = phase 1 => negotiate
phase 2 => IPSec Tunnel

IKEV2 => Initial neogtiation + IPSec Tunnel
=> proposals, key ring, policy, profile

#show crypto ikev2 proposal default
#show crypto ikev2 policy default

(config)# crypto ikev2 keyring HRT-keyring
peer container1
address 192.168.10.2
identity fqdn r2.test.local
pre-shared-key local cisco
pre-shared-key remote cisco123

(config)# crypto ikev2 profile HRT-profile
match identity remote fqdn r2.test.local
identity local fqdn r1.test.local
authentication local pre-share
authentication remote pre-share
keyring local HRT-keyring

(config)# crypto ipsec profile default
# set ikev2-profile HRT-profile

(config)# int tunnel 3
# tunnel source gi0/0
# tunnel destination 192.168.10.2
# tunnel mode ipsec ipv4
# tunnel protection ipsec profile default

(config)# crypto ikev2 keyring HRT-keyring
peer container1
address 192.168.10.1
identity fqdn r1.test.local
pre-shared-key local cisco123
pre-shared-key remote cisco

(config)# crypto ikev2 profile HRT-profile
match identity remote fqdn r1.test.local
identity local fqdn r2.test.local
authentication local pre-share
authentication remote pre-share
keyring local HRT-keyring

(config)# crypto ipsec profile default
# set ikev2-profile HRT-profile

(config)# int tunnel 3
# tunnel source gi0/0
# tunnel destination 192.168.10.1
# tunnel mode ipsec ipv4
# tunnel protection ipsec profile default

 

#show crypto ikev2 sa

#show crypto engine active connections

/by