User Tools
cisco:security:3
This is an old revision of the document!
Table of Contents
Cisco - Security - VPN - 3- IKEv2 Encrypted Tunnel Configuration
Device Code
r1
#r1 en conf t no ip domain lookup no call-home no service call-home line con 0 logg syn width 512 exec-timeout 0 0 history size 256 exit hostname r1 crypto ikev2 proposal pro-remote encryption aes-cbc-256 integrity sha512 group 24 ! crypto ikev2 policy pol-remote proposal pro-remote ! crypto ikev2 keyring kr1 peer peer-remote address 192.168.2.2 pre-shared-key cisco ! crypto ikev2 profile remote-profile match identity remote address 192.168.2.2 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local kr1 ! crypto ipsec transform-set ts-remote esp-aes esp-sha512-hmac mode transport ! crypto ipsec profile tst set transform-set ts-remote set pfs group24 set ikev2-profile remote-profile ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Tunnel0 ip address 172.0.0.1 255.255.255.252 tunnel source GigabitEthernet1 tunnel destination 192.168.2.2 tunnel protection ipsec profile tst ! interface GigabitEthernet1 ip address 192.168.2.1 255.255.255.0 no shut ! router bgp 1 bgp router-id 1.1.1.1 bgp log-neighbor-changes network 1.1.1.1 mask 255.255.255.255 neighbor 172.0.0.2 remote-as 1 end wr
r2
#r2 en conf t no ip domain lookup no call-home no service call-home line con 0 logg syn width 512 exec-timeout 0 0 history size 256 exit hostname r2 crypto ikev2 proposal pro-remote encryption aes-cbc-256 integrity sha512 group 24 ! crypto ikev2 policy pol-remote proposal pro-remote ! crypto ikev2 keyring kr1 peer peer-remote address 192.168.2.1 pre-shared-key cisco ! crypto ikev2 profile remote-profile match identity remote address 192.168.2.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local kr1 ! crypto isakmp policy 10 encryption aes authentication pre-share group 24 crypto isakmp key cisco address 192.168.2.1 255.255.255.0 ! crypto ipsec transform-set ts-remote esp-aes esp-sha512-hmac mode transport ! crypto ipsec profile tst set transform-set ts-remote set pfs group24 set ikev2-profile remote-profile ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Tunnel0 ip address 172.0.0.2 255.255.255.252 tunnel source GigabitEthernet1 tunnel destination 192.168.2.1 tunnel protection ipsec profile tst ! interface GigabitEthernet1 ip address 192.168.2.2 255.255.255.0 no shut ! router bgp 1 bgp router-id 2.2.2.2 bgp log-neighbor-changes network 2.2.2.2 mask 255.255.255.255 neighbor 172.0.0.1 remote-as 1 end wr
Verifications
r1
r1#show ip int br | i Tunnel0
Tunnel0 172.0.0.1 YES manual up up
r1#show int tu 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.0.0.1/30
MTU 9918 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 192.168.2.1 (GigabitEthernet1), destination 192.168.2.2
r1#ping 2.2.2.2 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
r1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.2.1/500 192.168.2.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/39446 sec
cisco/security/3.1762087111.txt.gz · Last modified: by Name
