Only IKEv2
Unified config
Scalable
Server/Client
CA Server recommended
Prereq 1 – CA Server/Client:
Server:
ip domain-name cisco.com
crypto key generate rsa modulus 1024
ip http server
crypto pki server CA
crypto pki trustpoint CA
issuer-name O=CISCO L=SanJose C=US
grant auto
sh crypto pki certificates
Client:
ip domain-name cisco.com
crypto key generate rsa modulus 1024
crypto pki trustpoint CA
enrollment url http://150.22.22.1:80
rsakeypair CSR8.cisco.com
crypto pki authenticate CA
crypto pki enroll CA
sh crypto pki certificates
Headend Configuration:
aaa new-model aaa authorization network AUTHZ local ip local pool MYPOOL 199.0.0.1 199.0.0.10 ip access-list standard V2INST permit host 150.8.8.3 crypto ikev2 proposal V2PROPOSAL encryption aes-cbc-256 aes-cbc-192 integrity sha512 sha384 group 14 15 crypto ikev2 policy V2POLICY proposal V2PROPOSAL crypto ikev2 authorization policy V2AUTHZPOLICY dns 150.11.11.1 no dns 150.11.11.1 pool MYPOOL route set access-list V2INST def-domain cisco.com crypto ikev2 profile V2PROFILE authentication local rsa-sig authentication remote rsa-sig match identity remote fqdn domain cisco.com identity local fqdn CSR8.cisco.com pki trustpoint CA authorization group cert list AUTHZ V2AUTHZPOLICY virtual-template 1 crypto ipsec transform-set V2TS esp-aes 256 esp-sha512-hmac crypto ipsec profile V2IPSEC set transform-set V2TS set ikev2-profile V2PROFILE int virtual-template 1 type tunnel ip unnumbered G1.55 tunnel source G1.55 tunnel mode ipsec ipv4 tunnel protection ipsec profile V2IPSEC
Client Side:
aaa new-model aaa authorization network AUTHZ local ip access-list standard V2INST permit host 150.5.5.3 crypto ikev2 proposal V2PROPOSAL encryption aes-cbc-256 aes-cbc-192 integrity sha512 sha384 group 14 15 crypto ikev2 policy V2POLICY proposal V2PROPOSAL crypto ikev2 authorization policy V2AUTHZPOLICY route set access-list V2INST crypto ikev2 profile V2PROFILE match identity remote fqdn domain cisco.com identity local fqdn CSR5.cisco.com authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA authorization group cert list AUTHZ V2AUTHZPOLICY crypto ipsec transform-set V2TS esp-aes 256 esp-sha512-hmac crypto ipsec profile V2IPSEC set transform-set V2TS set ikev2-profile V2PROFILE int tunnel 58 ip address negotiated tunnel source G1.35 tunnel mode ipsec ipv4 tunnel protection ipsec profile V2IPSEC tunnel destination 155.1.55.8
0 Comments