• Cisco’s IOS implementation of IKEv2
    • Unified configuration framework for L2L, remote access and spoke-spoke VPNs
      • Tunnel interfaces.
  • FlexVPN components
    • Proposal, policy, credential store, profile
    • Tunnel interface.
  • Other
    • IPSEC Profile
    • Routing
  • FlexVPN Proposal
    • Set of algorithms used to protect IKE_SA_INIT
      • More than one function can be configured for the same security feature.
        • ‘crypto ikev2 proposal <name>
          • ‘encryption <enc type>’
          • ‘integrity <inte type>
          • ‘group <dh group>’
          • ‘prf <prf type>’
        • AES in Galois/Counter mode (AES-GCM) combined algorithm.
          • Requires PRF to be manually configured.
        • DH Groups 19/20 are Elliptic Curve Algorithms (ECDH)
  • Enables a proposal
    • Policy can match based on FVRF or local IP.
      • ‘crypto ikev2 policy <name>’
        • ‘proposal <name>’
        • ‘match fvrf <name>’
        • ‘match address local <ipv4 or ipv6>
  • Credential Store
    • Stores authentication data
      • Trustpoint (‘crypto pki trustpoint’)
      • Keys (can now be asymmetric)
        • Keyring (‘crypto ikev2 keyring’)
        • In-profile (‘authentication <local|remote> pre-share’)
  • IKEv2/FlexVPN profile
    • Stores non-negotiable IKE parameters.
      • Must be attached to an IPSEC profile.
      • ‘crypto ikev2 profile <name>’
        • ‘match <options>’
        • ‘authentication <local|remote> <pre-share|rsa-sig|ecdsa-sig|eap>’
        • ‘keyring <name>’
        • ‘pki trustpoint <name> <sign|verify>
        • ‘identity local <address|dn|email|fqdn|key-id>’
        • ‘dpd interval <periodic|on-demand>’
        • ‘virtual-template nr’
        • ‘ivrf <ivrf name>’
    • NOTE – IKEv2 can use separate authentication mechanisms on two sides of the tunnel. Unlike IKEv1.
  • Profile selection
    • ‘Match’ statements
      • IP address(es), cert map, FVRF and IKEv2 ID
        • Same-type statements or ORed, different type are ANDed
        • Cert map and IKEv2 ID are treated as the same type.
      • ‘match vrf CUST1’
      • ‘match local address 10.1.1.1’
      • ‘match local address 10.2.2.1’
      • ‘match certificate CMAP1’
    • Result
      • (VRF CUST1) AND (IP 10.1.1.1 OR 10.2.2.1) AND (cert match in CMAP1)
  • Flex Tunnels
    • Static:
      • ‘interface tunnel <nr>
      • ‘<ip|ipv6> address <address>’
      • ‘tunnel source <interface|IP_add>
      • ‘tunnel destination <IP_add>’
      • ‘tunnel mode ipsec <ipv4|ipv6>’
    • Dynamic
      • ‘interface virtual template type tunnel <nr>’
        • ‘<ip|ipv6> unnumbered interface’
        • ‘tunnel source <interface|IP_address>
        • ‘tunnel mode ipsec <ipv4|ipv6>’
  • Activates IPsec
    • Requires a transform-set
    • IKEv2 profile must be attached on initiator.
      • enables IKEv2
    • ‘crypto ipsec transform-set <set name>’
    • ‘crypto ipsec profile <profname>’
      • ‘set transform-set <set name>’
      • ‘set ikev2-profile <profname>’
        • ‘int tunnel <x>’
          • ‘tunnel protection ipsec profile <profname>’
  • ‘Smart Defaults’
    • Simplifies IKEv2 deployments
    • Group of predefined IKEv2 and IPsec components called ‘default’.
      • Proposal, Policy, Transform Set, IPSec profile
    • Verify with ‘show crypto ikev2 <group type> default’ and ‘show run all
      • Example of group type
        • ‘show crypto ikev2 ipsec profile default’
        • ‘show run all | sec crypto’
          • Look for default

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s