Tim's Technology Journey Wiki

User Tools

Site Tools

Trace: 3
cisco:security:3

This is an old revision of the document!

Table of Contents

Cisco - Security - VPN - 3- IKEv2 Encrypted Tunnel Configuration

Device Code

r1 

#r1
en
conf t
no ip domain lookup
no call-home
no service call-home
line con 0
logg syn
width 512
exec-timeout 0 0
history size 256
exit
hostname r1
crypto ikev2 proposal pro-remote 
 encryption aes-cbc-256
 integrity sha512
 group 24
!
crypto ikev2 policy pol-remote 
 proposal pro-remote
!
crypto ikev2 keyring kr1
 peer peer-remote
  address 192.168.2.2
  pre-shared-key cisco
!
crypto ikev2 profile remote-profile
 match identity remote address 192.168.2.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local kr1
!
crypto ipsec transform-set ts-remote esp-aes esp-sha512-hmac 
 mode transport    
!
crypto ipsec profile tst
 set transform-set ts-remote 
 set pfs group24
 set ikev2-profile remote-profile
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 172.0.0.1 255.255.255.252
 tunnel source GigabitEthernet1
 tunnel destination 192.168.2.2
 tunnel protection ipsec profile tst
!
interface GigabitEthernet1
 ip address 192.168.2.1 255.255.255.0
 no shut
!
router bgp 1
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 1.1.1.1 mask 255.255.255.255
 neighbor 172.0.0.2 remote-as 1
end
wr


r2 

#r2
en
conf t
no ip domain lookup
no call-home
no service call-home
line con 0
logg syn
width 512
exec-timeout 0 0
history size 256
exit
hostname r2
crypto ikev2 proposal pro-remote 
 encryption aes-cbc-256
 integrity sha512
 group 24
!
crypto ikev2 policy pol-remote 
 proposal pro-remote
!
crypto ikev2 keyring kr1
 peer peer-remote
  address 192.168.2.1
  pre-shared-key cisco
!
crypto ikev2 profile remote-profile
 match identity remote address 192.168.2.1 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local kr1
 !
crypto isakmp policy 10
 encryption aes
 authentication pre-share
 group 24
crypto isakmp key cisco address 192.168.2.1 255.255.255.0
!
crypto ipsec transform-set ts-remote esp-aes esp-sha512-hmac 
 mode transport    
!
crypto ipsec profile tst
 set transform-set ts-remote 
 set pfs group24
 set ikev2-profile remote-profile
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 172.0.0.2 255.255.255.252
 tunnel source GigabitEthernet1
 tunnel destination 192.168.2.1
 tunnel protection ipsec profile tst
!
interface GigabitEthernet1
 ip address 192.168.2.2 255.255.255.0
 no shut
!
router bgp 1
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 network 2.2.2.2 mask 255.255.255.255
 neighbor 172.0.0.1 remote-as 1
end
wr


Verifications

r1 

r1#show ip int br | i Tunnel0
Tunnel0                172.0.0.1       YES manual up                    up

r1#show int tu 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 172.0.0.1/30
  MTU 9918 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 192.168.2.1 (GigabitEthernet1), destination 192.168.2.2


cisco/security/3.1762087032.txt.gz · Last modified: by Name

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki