=====Cisco - Security - VPN - 3- IKEv2 Encrypted Tunnel Configuration=====
====Device Code====
__r1__
#r1
en
conf t
no ip domain lookup
no call-home
no service call-home
line con 0
logg syn
width 512
exec-timeout 0 0
history size 256
exit
hostname r1
crypto ikev2 proposal pro-remote
encryption aes-cbc-256
integrity sha512
group 24
!
crypto ikev2 policy pol-remote
proposal pro-remote
!
crypto ikev2 keyring kr1
peer peer-remote
address 192.168.2.2
pre-shared-key cisco
!
crypto ikev2 profile remote-profile
match identity remote address 192.168.2.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local kr1
!
crypto ipsec transform-set ts-remote esp-aes esp-sha512-hmac
mode transport
!
crypto ipsec profile tst
set transform-set ts-remote
set pfs group24
set ikev2-profile remote-profile
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.0.0.1 255.255.255.252
tunnel source GigabitEthernet1
tunnel destination 192.168.2.2
tunnel protection ipsec profile tst
!
interface GigabitEthernet1
ip address 192.168.2.1 255.255.255.0
no shut
!
router bgp 1
bgp router-id 1.1.1.1
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
neighbor 172.0.0.2 remote-as 1
end
wr
\\
__r2__
#r2
en
conf t
no ip domain lookup
no call-home
no service call-home
line con 0
logg syn
width 512
exec-timeout 0 0
history size 256
exit
hostname r2
crypto ikev2 proposal pro-remote
encryption aes-cbc-256
integrity sha512
group 24
!
crypto ikev2 policy pol-remote
proposal pro-remote
!
crypto ikev2 keyring kr1
peer peer-remote
address 192.168.2.1
pre-shared-key cisco
!
crypto ikev2 profile remote-profile
match identity remote address 192.168.2.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local kr1
!
crypto isakmp policy 10
encryption aes
authentication pre-share
group 24
crypto isakmp key cisco address 192.168.2.1 255.255.255.0
!
crypto ipsec transform-set ts-remote esp-aes esp-sha512-hmac
mode transport
!
crypto ipsec profile tst
set transform-set ts-remote
set pfs group24
set ikev2-profile remote-profile
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 172.0.0.2 255.255.255.252
tunnel source GigabitEthernet1
tunnel destination 192.168.2.1
tunnel protection ipsec profile tst
!
interface GigabitEthernet1
ip address 192.168.2.2 255.255.255.0
no shut
!
router bgp 1
bgp router-id 2.2.2.2
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
neighbor 172.0.0.1 remote-as 1
end
wr
\\
====Verifications====
__r1__
r1#show ip int br | i Tunnel0
Tunnel0 172.0.0.1 YES manual up up
r1#show int tu 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.0.0.1/30
MTU 9918 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 192.168.2.1 (GigabitEthernet1), destination 192.168.2.2
r1#ping 2.2.2.2 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
r1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.2.1/500 192.168.2.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/39446 sec\\
{{:cisco:security:3:esp-lab-3.jpg?800|}}\\
Here you can see the entire packet, including the original header, is encrypted.