Only IKEv2
Unified config
Scalable
Server/Client
CA Server recommended

Prereq 1 – CA Server/Client:

Server:
ip domain-name cisco.com
crypto key generate rsa modulus 1024
ip http server
crypto pki server CA
crypto pki trustpoint CA
issuer-name O=CISCO L=SanJose C=US
grant auto
sh crypto pki certificates
Client:
ip domain-name cisco.com
crypto key generate rsa modulus 1024
crypto pki trustpoint CA
enrollment url http://150.22.22.1:80
rsakeypair CSR8.cisco.com
crypto pki authenticate CA
crypto pki enroll CA
sh crypto pki certificates

Headend Configuration:

aaa new-model
aaa authorization network AUTHZ local 
ip local pool MYPOOL 199.0.0.1 199.0.0.10

ip access-list standard V2INST
  permit host 150.8.8.3

crypto ikev2 proposal V2PROPOSAL
  encryption aes-cbc-256 aes-cbc-192 
  integrity sha512 sha384 
  group 14 15 crypto ikev2 policy V2POLICY
  proposal V2PROPOSAL

crypto ikev2 authorization policy V2AUTHZPOLICY
  dns 150.11.11.1
  no dns 150.11.11.1
  pool MYPOOL
  route set access-list V2INST
  def-domain cisco.com

crypto ikev2 profile V2PROFILE
  authentication local rsa-sig 
  authentication remote rsa-sig 
  match identity remote fqdn domain cisco.com
  identity local fqdn CSR8.cisco.com
  pki trustpoint CA
  authorization group cert list AUTHZ V2AUTHZPOLICY
  virtual-template 1

crypto ipsec transform-set V2TS esp-aes 256 esp-sha512-hmac

crypto ipsec profile V2IPSEC
  set transform-set V2TS
  set ikev2-profile V2PROFILE

int virtual-template 1 type tunnel
  ip unnumbered G1.55
  tunnel source G1.55
  tunnel mode ipsec ipv4 
  tunnel protection ipsec profile V2IPSEC

Client Side:

aaa new-model 
aaa authorization network AUTHZ local

ip access-list standard V2INST
  permit host 150.5.5.3

crypto ikev2 proposal V2PROPOSAL 
  encryption aes-cbc-256 aes-cbc-192
  integrity sha512 sha384
  group 14 15

crypto ikev2 policy V2POLICY 
  proposal V2PROPOSAL

crypto ikev2 authorization policy V2AUTHZPOLICY
  route set access-list V2INST

crypto ikev2 profile V2PROFILE
  match identity remote fqdn domain cisco.com
  identity local fqdn CSR5.cisco.com
  authentication local rsa-sig
  authentication remote rsa-sig
  pki trustpoint CA
  authorization group cert list AUTHZ V2AUTHZPOLICY      

crypto ipsec transform-set V2TS esp-aes 256 esp-sha512-hmac

crypto ipsec profile V2IPSEC
  set transform-set V2TS
  set ikev2-profile V2PROFILE

int tunnel 58
  ip address negotiated 
  tunnel source G1.35
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile V2IPSEC
  tunnel destination 155.1.55.8


0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *