IKEv2

IKEv2( Internet Key Exchange version 2) is a protocol that establishes and handles SAs( Security Association). Usually these SAs are used with IPSec( in fact, IKEv2 is based on IPSec).

Like IPSec, IKEv2 uses a modular CLI for configuration.

crypto ikev2 dpd (1-3600) [(1-100)]: Set IKEv2 dead peer detection parameters. First parameter indicates how often liveness check is performed. Second parameter shows max retries before shutting down peer

IKEv2 proposal

A proposal, consists of a suite of encryption/ HMAC algorithms for IKEv2 SA creation. Along with IPSec transform set, they define the IKEv2/IPSec algorithm suite and it’s the first thing that is negotiated in IKEv2.

crypto ikev2 proposal IKEPOSAL: Create a new IKEV2 proposal named IKEPOSAL

encryption ALGORITHM: Use ALGORITHM as encryption algorithm for IKEv2 SA creation and negotiation.

integrity ALGORITHM: Use ALGORITHM as HMAC algorithm for IKEv2 SA creation and negotiation.

group GROUP

Use GROUP as Diffie-Hellman group.

Example :

soodar(config)# crypto ikev2 proposal proposal-exemplary
soodar(config-ikev2-proposal)# encryption aes-192
soodar(config-ikev2-proposal)# integrity sha1-96
soodar(config-ikev2-proposal)# group 5

IKEv2 keyring

As the name suggests, this struct, holds identity of peers, theirs address and authentication materials.

crypto ikev2 keyring IKEKEYRING: Create a new IKEV2 keyring named IKEKEYRING

peer PEER: Create a new peer in keyring as PEER

address <A.B.C.D|X:X::X:X>: Set peer’s address on network.

pre-shared-key LINE: Set peer’s PSK value for authentication

identity address <A.B.C.D|X:X::X:X>: Use an address as peer’s identity. This identity is used in negotiation and by other peer to identify the other one.

identity fqdn FQDN: Use a FQDN as peer’s identity. This identity is used in negotiation and by other peer to identify the other one.

identity email MAIL

Use a mail address as peer’s identity. This identity is used in negotiation and by other peer to identify the other one.

Example :

soodar(config)# crypto ikev2 keyring keyring-1
soodar(config-ikev2-keyring)# peer PC-1
soodar(config-ikev2-keyring-peer)# address 192.168.1.100
soodar(config-ikev2-keyring-peer)# identity email home@sweet.home
soodar(config-ikev2-keyring-peer)# pre-shared-key 123@321
soodar(config-ikev2-keyring)# peer PC-2
soodar(config-ikev2-keyring-peer)# address 192.168.1.20
soodar(config-ikev2-keyring-peer)# identity address 1.1.1.1
soodar(config-ikev2-keyring-peer)# pre-shared-key ITSAHARDPASSWD!!

IKEv2 profile

Main struct of IKEv2.

identity local address <A.B.C.D|X:X::X:X>: Define an address as local identity. During IKEv2 session, introduce him by this identity to its peer.

identity local fqdn FQDN: Define a FQDN as local identity. During IKEv2 session, introduce him by this identity to its peer.

identity local email MAIL: Define a mail address as local identity. During IKEv2 session, introduce him by this identity to its peer.

match identity remote address <A.B.C.D|X:X::X:X>: Expected remote identity. Other information about this peer is looked up in keyring.

match identity remote fqdn FQDN: Expected remote identity. Other information about this peer is looked up in keyring.

match identity remote email EMAIL: Expected remote identity. Other information about this peer is looked up in keyring.

keyring local IKEKEYRING: Use keyring IKEKEYRING for peer lookup.

proposal IKEPOSAL

Use IKEPOSAL for IKEv2 SA.

Example :

soodar(config)# crypto ikev2 profile VPN
soodar(config-ikev2-profile)# identity local 192.168.1.1
soodar(config-ikev2-profile)# match identity remote home@sweet.home
soodar(config-ikev2-profile)# keyring local keyring-1
soodar(config-ikev2-profile)# proposal proposal-exemplary