cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

153
Views
0
Helpful
2
Replies
Highlighted

IKEv2 Tunnel

Hello All,

 

I have an couple of doubts in the below configuration for IKEv2 tunnel.

 

Please find the below output for policy in IKEv2:

 

crypto ikev2 policy ESI_CANADA_POLICY
match address local X.X.X.X
proposal ESI_CANADA_PROPOSAL
proposal BB&T-Proposal

 

Questions:

1. Whether we can add the different proposal in single policy. If yes what is the use?

2. In normal tutorial I learnt that we will add the proposal in the policy, but here I could see they are adding the local address statement. Anyway we will add the local address in the profile. What is the use of adding the local address in policy and as well as profile?

 

Thanks.

Everyone's tags (1)
2 REPLIES 2
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: IKEv2 Tunnel

Hi,
I would say the answer to both your questions is "flexiblity".

 

You can define multiple proposal in the event one of the VPN peer devices does not support the algorithms used by other peers.

 

The "match address local" command could be used on a router if that device had multiple interfaces and you wanted to specify which proposal to use when establishing a tunnel sourced from the differen interfaces.  E.g:-

 

R3#show crypto ikev2 proposal
IKEv2 proposal: PROP-1
Encryption : AES-CBC-256
Integrity : SHA256
PRF : SHA256
DH Group : DH_GROUP_256_ECP/Group 19

IKEv2 proposal: PROP-2
Encryption : AES-CBC-192
Integrity : SHA256
PRF : SHA256
DH Group : DH_GROUP_3072_MODP/Group 15

 

R3#show crypto ikev2 policy

IKEv2 policy : POL_1
Match fvrf : global
Match address local : 2.2.2.10
Proposal : PROP-1

IKEv2 policy : POL_2
Match fvrf : global
Match address local : 2.2.2.20
Proposal : PROP-2

 

R3#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
2 2.2.2.20/500 1.1.1.1/500 none/BLUE READY
Encr: AES-CBC, keysize: 192, PRF: SHA256, Hash: SHA256, DH Grp:15, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/267 sec

Tunnel-id Local Remote fvrf/ivrf Status
1 2.2.2.10/500 1.1.1.1/500 none/RED READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/267 sec

Notice the different Keysize and DH Group established between the 2 peers, proving IKEv2 SA established using different proposals.

 

Normally if you control all of the VPN peer routers then you would define 1 proposal with only the algorithms you wish to use, to keep the configuration consistent and simple.


HTH

Re: IKEv2 Tunnel

Thanks for the response.