IKEv2

IKEv2( Internet Key Exchange version 2) is a protocol that establishes and handles SAs( Security Association). Usually, these SAs are used with IPSec( in fact, IKEv2 is based on IPSec).

Like IPSec, IKEv2 uses a modular CLI for configuration.

crypto ikev2 dpd (1-3600): Set IKEv2 dead peer detection parameters. The first parameter indicates how often a liveness check is performed.

IKEv2 proposal

A proposal consists of a suite of encryption/ HMAC algorithms for IKEv2 SA creation. Along with the IPSec transform set, they define the IKEv2/IPSec algorithm suite, and it’s the first thing that is negotiated in IKEv2.

crypto ikev2 proposal IKEPOSAL: Create a new IKEV2 proposal named IKEPOSAL

encryption ALGORITHM: Use ALGORITHM as an encryption algorithm for IKEv2 SA creation and negotiation.

integrity ALGORITHM: Use ALGORITHM as HMAC algorithm for IKEv2 SA creation and negotiation.

group GROUP

Use GROUP as Diffie-Hellman group.

Example :

soodar(config)# crypto ikev2 proposal sample-proposal
soodar(config-ikev2-proposal)# encryption aes-192
soodar(config-ikev2-proposal)# integrity sha1-96
soodar(config-ikev2-proposal)# group 28

IKEv2 keyring

As the name suggests, this struct holds the identity of peers, their address, and authentication materials.

crypto ikev2 keyring IKEKEYRING: Create a new IKEV2 keyring named IKEKEYRING

peer PEER: Create a new peer in keyring as PEER

pre-shared-key LINE: Set peer’s PSK value for authentication

identity address <A.B.C.D|X:X::X:X>: Use an address as the peer’s identity. This identity is used in negotiation and by the other peer to identify the other.

identity fqdn FQDN: Use an FQDN as the peer’s identity. This identity is used in negotiation and by the other peer to identify the other.

identity email MAIL

Use a mail address as the peer’s identity. This identity is used in negotiation and by the other peer to identify the other.

Example :

soodar(config)# crypto ikev2 keyring keyring-1
soodar(config-ikev2-keyring)# peer PC-1
soodar(config-ikev2-keyring-peer)# identity email home@sweet.home
soodar(config-ikev2-keyring-peer)# pre-shared-key 123@321
soodar(config-ikev2-keyring)# peer PC-2
soodar(config-ikev2-keyring-peer)# identity address 1.1.1.1
soodar(config-ikev2-keyring-peer)# pre-shared-key ITSAHARDPASSWD!!

IKEv2 profile

Main struct of IKEv2.

match address local A.B.C.D: Send IKEv2 packets using this address. If it’s not set, the packets can use any IP address available on the router.

Note

It’s a good practice to set local addresses explicitly. It can prevent problems caused by changes in routes, leading to a change in the source IP address of packets and being rejected by an IKEv2 peer.

identity local address <A.B.C.D|X:X::X:X>: Define an address as the local identity. During the IKEv2 session, the router introduces himself by this identity to its peer.

identity local fqdn FQDN: Define an FQDN as the local identity. During the IKEv2 session, the router introduces himself by this identity to its peer.

identity local email MAIL: Define a mail address as the local identity. During the IKEv2 session, the router introduces himself by this identity to its peer.

authentication local rsa-sig: Use RSA Digital Signature as authentication method during init.

Note

The chosen certificate to use is the one that has the same SAN as local identity

authentication local pre-share: Use Shared Key Message Integrity Code as authentication method during init.

authentication remote rsa-sig: Expect RSA Digital Signature from the peer as authentication method during init.

authentication remote pre-share: Expect Shared Key Message Integrity Code from the peer as authentication method during init.

match identity remote address <A.B.C.D|X:X::X:X>: The expected remote identity. Other information about this peer is looked up in keyring.

match identity remote fqdn FQDN: The expected remote identity. Other information about this peer is looked up in keyring.

match identity remote email EMAIL: The expected remote identity. Other information about this peer is looked up in keyring.

match certificate

Match against DN fields and values as peer identity. using wildcards are allowed

Note

The peer should use RSA Digital Signature as authentication method, and it should use its DN as identity.

Example:

soodar(config-ikev2-profile)# match certificate C=IR, CN=*.temp.ir

Match against all peers that have DN as their identity and this certificate is issued from Iran and is a sub-domain of temp.ir

keyring local IKEKEYRING: Use keyring IKEKEYRING for peer lookup.

proposal IKEPOSAL: Use IKEPOSAL for IKEv2 SA.

lifetime <120-86400>

Set IKEv2 profile lifetime. Cause a rekey action to take place when the life timer exceeds.

Example :

soodar(config)# crypto ikev2 profile VPN
soodar(config-ikev2-profile)# identity local 192.168.1.1
soodar(config-ikev2-profile)# match identity remote home@sweet.home
soodar(config-ikev2-profile)# keyring local keyring-1
soodar(config-ikev2-profile)# proposal sample-proposal