Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
2
Replies

Purpose of IKEv2 Keyring Identity Parameter

391767
Level 1
Level 1

‎01-03-2025 12:32 PM

I created an IKEv2 tunnel in my lab with asymmetric pre-shared keys and it's working. I have the local and remote keys configured in the keyring and identity matching in the IKEv2 profile. The question I have is: what is the identity parameter in the IKEv2 keyring used for? If I set it intentionally to a value not used by either router as its identity, the IKEv2 negotiation is still successful.

 

IOU11(config)#crypto ikev2 keyring KR-IPSEC
IOU11(config-ikev2-keyring)#?
IKEv2 Keyring commands:
exit Exit from crypto ikev2 keyring sub mode
no Negate a command or set its defaults
peer Configure a Peer and associated keys

IOU11(config-ikev2-keyring)#peer IOU10
IOU11(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
address Specify IPv4/IPv6 address of peer
description Specify a description of this peer
exit Exit from crypto ikev2 keyring peer sub mode
hostname Hostname of peer
identity Specify IKE identity to use
no Negate values of a command
pre-shared-key specify the pre-shared key

IOU11(config-ikev2-keyring-peer)#identity ?
address IP address
email Use email address
fqdn Use FQDN
key-id proprietary types of identification (ID KEY ID)

IOU11(config-ikev2-keyring-peer)#

 

 

IOU11(config)#do sh run | sec cry
no service password-encryption
crypto ikev2 proposal PROP-IKEV2
encryption aes-cbc-128
integrity sha1
group 20
crypto ikev2 policy POL-IKEV2
proposal PROP-IKEV2
crypto ikev2 keyring KR-IPSEC
peer IOU10
address 10.0.0.10
identity key-id BAD-IDENTITY <------- This appears not to be used during IKEv2 negotiation; what is it used for?
pre-shared-key local IOU11-KEY
pre-shared-key remote IOU10-KEY
!
crypto ikev2 profile PROF-IKEV2
match identity remote key-id IOU10-HOST <------- This is used during IKEv2 negotiation. If removed, the local router uses its IP as its identity instead of the key-id identity in red above.
identity local key-id IOU11-HOST
authentication remote pre-share
authentication local pre-share
keyring local KR-IPSEC
crypto ipsec profile PROF-IPSEC
set ikev2-profile PROF-IKEV2
IOU11(config)#

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎01-03-2025 12:41 PM

But you use both 

Peer address and identity' in this case the keyring use OR and since address is match it will use and authc will success.

MHM

0 Helpful

Flavio Miranda
VIP
VIP

‎01-03-2025 12:54 PM

@391767 

 

 The command seems to make it clear that the parameter Key-id is one among other options. 

 

  1. identity {address {ipv4-address | ipv6-address} | fqdn domain domain-name | email domain domain-name | key-id key-id}
0 Helpful
Customers Also Viewed These Support Documents