=====Lab 000 - Configure IKEv2 Initial Configurations=====
References:\\
[[https://youtu.be/fPb8urnJ9PY?si=J8Bga_o61qWJ1vWf|Rob Riker Teaching VPN Concepts on YouTube]]\\
[[https://www.ciscopress.com/store/ccnp-security-virtual-private-networks-svpn-300-730-9780136660606|CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide]]\\
* ISBN: 9780136660606
* Chapter 3, Router Configuration with IKEv2, page 78.
* This lab provides the answers how to configure IKEv2.
* This lab has two directly connected routers that share IKEv2's ESP-encrypted messages.
{{ :cisco:books:ccnp_300-730:ch3:000:Lab-000-IKEv2-Overview.png?300 | Lab-000-IKEv2-Overview }}
__r1-hub's initial configuration__
en
conf t
no ip domain lookup
hostname r1-hub
line con 0
history size 256
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
no shutdown
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet1
shutdown
ip address 12.1.1.1 255.255.255.0
!
ip access-list extended castle-acl
remark Permit statements equal traffic that shall be encrypted.
permit ip host 12.1.1.1 host 12.1.1.2
!
crypto ikev2 proposal rook-proposal
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy svpn-policy
proposal rook-proposal
!
crypto ikev2 keyring lion-key
peer peer-remote
address 12.1.1.2
pre-shared-key cisco
!
crypto ikev2 profile side-profile
match identity remote address 12.1.1.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac
mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp
set peer 12.1.1.2
set transform-set tset
set pfs group14
set ikev2-profile side-profile
match address castle-acl
!
interface GigabitEthernet1
crypto map svpn-map
no shutdown
!
end
wr
__r2-spoke's initial configuration__
en
conf t
no ip domain lookup
hostname r2-spoke
line con 0
history size 256
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
no shutdown
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet1
shutdown
ip address 12.1.1.2 255.255.255.0
!
ip access-list extended castle-acl
remark Permit statements equal traffic that shall be encrypted.
permit ip host 12.1.1.2 host 12.1.1.1
!
crypto ikev2 proposal rook-proposal
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy svpn-policy
proposal rook-proposal
!
crypto ikev2 keyring lion-key
peer peer-remote
address 12.1.1.1
pre-shared-key cisco
!
crypto ikev2 profile side-profile
match identity remote address 12.1.1.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac
mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set tset
set pfs group14
set ikev2-profile side-profile
match address castle-acl
!
interface GigabitEthernet1
crypto map svpn-map
no shutdown
!
end
wr
__Verification__
r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 1/3/7 ms
r1-hub#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 12.1.1.1/500 12.1.1.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/13 sec
IPv6 Crypto IKEv2 SA
* Packet Capture on r1-hub e0/0 interface.
{{ :cisco:books:ccnp_300-730:ch3:000:Lab-000-IKEv2-Capture.png?900 |Lab-000-IKEv2-Capture}}
* The crypto is working correctly. The ICMP (ping) packets are formatted ESP because they are encrypted.
=====Backlinks=====
[[:cisco|Cisco]]\\
[[:cisco:books|Cisco Books]]\\
[[:cisco:books:ccnp_300-730|CCNP Security Virtual Private Networks SVPN 300-730]]\\
[[:cisco:books:ccnp_300-730:ch3|CCNP SVPN 300-730 - Chapter 3]]\\