Tim's Technology Journey Wiki

User Tools

Site Tools

Trace: 001 000
cisco:books:ccnp_300-730:ch3:000

This is an old revision of the document!

Table of Contents

Lab 000 - Configure IKEv2 Initial Configurations

References:
Rob Riker Teaching VPN Concepts on YouTube
CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide

  • ISBN: 9780136660606
  • Chapter 3, Router Configuration with IKEv2, page 78.
  • This lab has two directly connected routers that share IKEv2's ESP-encrypted messages.

Lab-000-IKEv2-Overview

r1-hub 

en
conf t
hostname r1-hub
line con 0
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
 no shutdown
 ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
 shutdown
 ip address 12.1.1.1 255.255.255.0
!
ip access-list extended castle-acl
 remark Permit statements equal traffic that shall be encrypted.
 permit ip host 12.1.1.1 host 12.1.1.2
!
crypto ikev2 proposal rook-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy svpn-policy 
 proposal rook-proposal
!
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.2
  pre-shared-key cisco
!
crypto ikev2 profile side-profile
 match identity remote address 12.1.1.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac 
 mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp 
 set peer 12.1.1.2
 set transform-set tset 
 set pfs group14
 set ikev2-profile side-profile
 match address castle-acl
!
interface Ethernet0/0
 crypto map svpn-map
 no shutdown
!
end
wr

r2-spoke 

en
conf t
hostname r2-spoke
line con 0
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
 no shutdown
 ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
 shutdown
 ip address 12.1.1.2 255.255.255.0
!
ip access-list extended castle-acl
 remark Permit statements equal traffic that shall be encrypted.
 permit ip host 12.1.1.2 host 12.1.1.1
!
crypto ikev2 proposal rook-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy svpn-policy 
 proposal rook-proposal
!
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.1
  pre-shared-key cisco
!
crypto ikev2 profile side-profile
 match identity remote address 12.1.1.1 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac 
 mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp 
 set peer 12.1.1.1
 set transform-set tset 
 set pfs group14
 set ikev2-profile side-profile
 match address castle-acl
!
interface Ethernet0/0
 crypto map svpn-map
 no shutdown
!
end
wr

Verification 

r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/6 ms
  • Packet Capture on r1-hub e0/0 interface.

Lab-000-IKEv2-Capture

Cisco
Cisco Books
CCNP Security Virtual Private Networks SVPN 300-730
CCNP SVPN 300-730 - Chapter 3

cisco/books/ccnp_300-730/ch3/000.1756611871.txt.gz · Last modified: by Name

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki