• Without defaults, below configuration list is needed:
    • IKEv2
      • Proposal
      • Policy
      • Keyring
      • Profile
    • IPSEC
      • Transform set
      • Profile
  • IKEv2 Proposal
    • Used for normal IPSEC negotiation
      • DH group
      • Encryption – AES
      • Integrity – SHA
  • Tunnel Interface
    • Attaching VPN config
  • IKEv2 policy
    • Container for proposal that was just created
  • IKEv2 Keyring
    • Contains authentication and specifies the remote host.
      • PSK or RSA/Certificate
  • IKEv2 Profile
    • Contains identity and authentication we want to use.
      • DOES NOT CONTAIN ACTUAL PSK
      • SORT OF REPETITIVE BUT KEYRING GETS ADDED TO THIS PROFILE
  • IPSEC Transform-Set
    • Specifies encryption and hashing algorithms.
      • Under TS the tunnel mode can be set as well.
        • ie. Tunnel or Transport. Default is Tunnel.
  • IPSEC Profile
    • Glues together the IKEv2 profile and Transform set
  • Tunnel Interface
    • Specifies normal GRE operation and attaches IPSEC profile to the tunnel.
  • Disable Smart Defaults (optional)
    • If needed, can disable the smart defaults

‘no crypto ikev2 policy default’
‘no crypto ipsec profile default’
‘no crypto ipsec transform-set default’
‘no crypto ikev2 proposal default’

  • Verify Tunnel/Protection

Note the default IKEv2 policy is disabled.

Shows specifics of VPN IKEv2 settings.

Shows a security association exists for IKEv2.

Note default profile is disabled.

Shows there is a security association and we have packet encaps/decaps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s