Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
2
Replies

Replace Cisco 800 router Crypto Map from IKEv1 to IKEv2

Go to solution
johnlloyd_13
Level 9
Level 9

‎04-05-2025 12:54 AM

hi,

i'll need to swap the IKEv1 to IKEv2 crypto map in a cisco 800 router.

my questions:

1.just to confirm, i can preconfigure IKEv2 part first, then replace the IKEv1 'crypto map' under the WAN interface during the maintenance window?

2.can someone confirm if below is correct and i didn't miss anything?

refer to link based on IKEv2 crypto map based config.

https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-apx-ikev2-legacy.html

crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
lifetime seconds 86400

crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL

crypto ikev2 keyring IKEV2-KEYRING
peer FW
address 89.x.x.x
pre-shared-key cisco123   <<< I DON'T NEED TO CONFIGURE 'LOCAL' AND 'REMOTE' PEER?


crypto ikev2 profile IKEV2-PROFILE
match fvrf any   <<< DO I NEED THIS COMMAND? I DON'T USE VRF IN THIS CASE
match identity remote address 89.x.x.x 255.255.255.255
identity local address 161.x.x.x   <<< DO I NEED THIS COMMAND?
authentication local pre-share
authentication remote pre-share
keyring local IKEV2-KEYRING


!! RE-USE CRYPTO ACL 101

crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac

crypto map CMAP_IKEV2 10 ipsec-isakmp   <<< APPLY TO WAN INTERFACE DURING CUTOVER
set peer 89.x.x.x
set security-association lifetime seconds 86400
set transform-set IKEV2-TSET
set ikev2-profile IKEV2-PROFILE
match address 101

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-05-2025 01:42 AM - edited ‎04-05-2025 02:27 AM

@johnlloyd_13 yes you can preconfigure create the IKEv2 proposal, policy, profile and IPSec tset and apply the crytpo map during cutover.

Under the keyring you can either use a symetrical PSK (same PSK for local and remote) OR optionally use asymetrical PSK, different local and remote PSK - this must be mirrored on the peer.

"identity local" is the egress IP address as default. The FVRF is the global routing table as default, so it depends which VRF you interface is in.

Obviously you can only have one crypto map assigned to an interface, so you would have to assign the new crypto map to the interface.

FYI, crypto maps have been depreciated on newer IOS-XE versions, Cisco recommends migrating to a VTI. https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎04-05-2025 01:42 AM - edited ‎04-05-2025 02:27 AM

@johnlloyd_13 yes you can preconfigure create the IKEv2 proposal, policy, profile and IPSec tset and apply the crytpo map during cutover.

Under the keyring you can either use a symetrical PSK (same PSK for local and remote) OR optionally use asymetrical PSK, different local and remote PSK - this must be mirrored on the peer.

"identity local" is the egress IP address as default. The FVRF is the global routing table as default, so it depends which VRF you interface is in.

Obviously you can only have one crypto map assigned to an interface, so you would have to assign the new crypto map to the interface.

FYI, crypto maps have been depreciated on newer IOS-XE versions, Cisco recommends migrating to a VTI. https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html

 

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎04-05-2025 06:02 AM

hi,

thanks for the confirmation!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card