IPSEC Tunnel using IKEv2 and CryptoMap

DC-01

Step 1: – Create IKEv2 Proposal (Same as isakmp policy in IKEv1)

crypto ikev2 proposal IKE-Proposal

 encryption aes-cbc-128 3des

 integrity sha1

 group 5

Step 2:- Create IKEv2 Policy ( Here we are calling the previously created proposal)

crypto ikev2 policy IKE-Policy

 match address local 11.10.12.1

 proposal IKE-Proposal

Step 3: – Create Keyring (Configure keyring if the local or remote authentication method is a pre-shared key)

crypto ikev2 keyring IKE-Keyring

 peer Branch

  address 11.10.23.1

  pre-shared-key local Cisco123

  pre-shared-key remote Cisco123

Step 4: Create IKEv2 Profile.

An IKEv2 profile is a repository of nonnegotiable parameters of the IKE SA and the services available to the authenticated peers that match the profile

crypto ikev2 profile IKEv2-Profile

 match identity remote address 11.10.23.1 255.255.255.255

 authentication remote pre-share

 authentication local pre-share

 keyring local IKE-Keyring

Step 5:  Create ACL (interesting traffic) ,Transform-Set and Crypto-map and routing for the peer end subnet via the ISP link

ip access-list extended IKE-ACL

 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto ipsec transform-set transform1 esp-3des esp-sha-hmac

 mode tunnel

crypto map cmap 1 ipsec-isakmp

 set peer 11.10.23.1

 set transform-set transform1

 set ikev2-profile IKEv2-Profile

 match address IKE-ACL

Apply crypto-map on the interface

int eth 0/0

crypto map cmap

ip route 192.168.2.0 255.255.255.0 11.10.12.2

Branch: –

Step 1: – Create IKEv2 Proposal (Same as isakmp policy in IKEv1)

crypto ikev2 proposal IKE-Proposal

 encryption aes-cbc-128 3des

 integrity sha1

 group 5

Step 2:- Create IKEv2 Policy ( Here we are calling the previously created proposal)

crypto ikev2 policy IKE-Policy

 match address local 11.10.23.1

 proposal IKE-Proposal

Step 3: – Create Keyring (Configure keyring if the local or remote authentication method is a pre-shared key)

crypto ikev2 keyring IKE-Keyring

 peer DC

  address 11.10.12.1

  pre-shared-key local Cisco123

  pre-shared-key remote Cisco123

Step 4: Create IKEv2 Profile.

An IKEv2 profile is a repository of nonnegotiable parameters of the IKE SA and the services available to the authenticated peers that match the profile

crypto ikev2 profile IKEv2-Profile

 match identity remote address 11.10.12.1 255.255.255.255

 authentication remote pre-share

 authentication local pre-share

 keyring local IKE-Keyring

Step 5:  Create  ACL ,Transform-Set and Crypto-map and routing for the peer end subnet via the ISP link

ip access-list extended IKE-ACL

 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto ipsec transform-set transform1 esp-3des esp-sha-hmac

 mode tunnel

crypto map cmap 1 ipsec-isakmp

 set peer 11.10.12.1

 set transform-set transform1

 set ikev2-profile IKEv2-Profile

 match address IKE-ACL

int eth 0/0

crypto map cmap

ip route 192.168.1.0 255.255.255.0 11.10.23.2

Verification: –

Ping from PC1 to PC2

Show crypto IKEv2 on DC1 – Status is READY

Could see the packet encaps and decaps

Check the hit count on ACL

Leave a Reply

Your email address will not be published. Required fields are marked *