Using default "smart defaults" on Cisco routers with flexvpn functions we can easy configure IPSec VPN tunnel witch IKEv2 (ptp vpn, PSK authentication). We must only configure PSK, add to ipsec profile and configure tunnel interface.
Smart defaults:
R5#sh crypto ikev2 proposal default
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
R5#sh crypto ikev2 policy default
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default
R5#sh crypto ipsec transform-set default
{ esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
R5#sh crypto ipsec profile default
IPSEC profile default
IKEv2 Profile: default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-256-aes esp-sha-hmac } ,
}
First we need to configure PSK:
R5:
crypto ikev2 keyring SD-KEY
peer R4
address 172.23.23.4
pre-shared-key local Cisco123 //could be diffrent but known
pre-shared-key remote cisco123
R4:
crypto ikev2 keyring SD-KEY //keyring is only for pre-shared auth
peer R5
address 172.23.23.5
pre-shared-key local cisco123
pre-shared-key remote Cisco123
Next, default ipsec profile:
R5:
crypto ikev2 profile default
match identity remote address 172.23.23.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local SD-KEY
R4:
crypto ikev2 profile default
match identity remote address 172.23.23.5 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local SD-KEY
Last, tunnel interface:
R5:
interface Tunnel99
ip address 10.10.99.5 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 172.23.23.4
tunnel protection ipsec profile default //without protection tunnel encapsulation is GRE (default)
R4:
interface Tunnel99
ip address 10.10.99.4 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 172.23.23.5
tunnel protection ipsec profile default
Verification:
R5#sh int tunnel 99
Tunnel99 is up, line protocol is up //3 conditions to be up: IP address, source and destination
Hardware is Tunnel
Internet address is 10.10.99.5/24
MTU 17854 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 172.23.23.5 (GigabitEthernet0/0), destination 172.23.23.4
Tunnel Subblocks:
src-track:
Tunnel99 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1414 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "default")
R5#ping 10.10.99.4 source tunnel 99 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.10.99.4, timeout is 2 seconds:
Packet sent with a source address of 10.10.99.5
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
R5#sh crypto ipsec sa interface tunnel 99 detail
interface: Tunnel99
Crypto map tag: Tunnel99-head-0, local addr 172.23.23.5
protected vrf: (none)
local ident (addr/mask/prot/port): (172.23.23.5/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.23.23.4/255.255.255.255/47/0)
current_peer 172.23.23.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100
#pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.23.23.5, remote crypto endpt.: 172.23.23.4
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x2E877EE4(780631780)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x8A959EAE(2325061294)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2053, flow_id: Onboard VPN:53, sibling_flags 80000040, crypto map: Tunnel99-head-0
sa timing: remaining key lifetime (k/sec): (4300777/3326)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2E877EE4(780631780)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2054, flow_id: Onboard VPN:54, sibling_flags 80000040, crypto map: Tunnel99-head-0
sa timing: remaining key lifetime (k/sec): (4300777/3326)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R5#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 172.23.23.5/500 172.23.23.4/500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: SHA1, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/353 sec
CE id: 5940, Session-id: 1898
Status Description: Negotiation done
Local spi: 12AA7E8EA63FE21B Remote spi: 4D18B80EDFAC6AC0
Local id: 172.23.23.5
Remote id: 172.23.23.4
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No