01-26-2014 02:47 AM
hi,
I use ikev1 in my hub and spokes (25 spokes) ipsec vpn (in using VTI), and I would like some help to switch in ikev2
I found some documentation but I'm not sure it is ok for me. I use x509 certificate.
See a piece of my config in ikev1 :
==================================
crypto pki trustpoint Test
...
crypto isakmp policy 10
auth rsa-sig
encr aes 256
hash md5
group 5
crypto isakmp identity dn
crypto isakmp keepalive 60 10
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac
!
crypto ipsec profile vpn
set security-association replay window-size 1024
set transform-set ESP-AES-256-MD5
set pfs group5
!
!
interface Tunnel0
description site1
ip unnumbered GigabitEthernet0/1
ip mtu 1390
ip tcp adjust-mss 1350
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination xxxxxxxxxx
tunnel protection ipsec profile vpn
!
interface Tunnel1
description site2
ip unnumbered GigabitEthernet0/1
ip mtu 1438
ip tcp adjust-mss 1398
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination yyyyyyyyyyy
tunnel protection ipsec profile vpn
!
...
====================================
of course in switching in ikev2 I will upgrade with strongest encryption/auth/group.
If you can paste me the conf in ikev2 from my ikev1 source, I'm very interested.
Thank you very much.
Regards
Nicolas
02-03-2014 05:23 AM
Nicolas,
Your adapted configuration could look something like
crypto ikev2 keyring KEY
peer Remote
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
crypto ikev2 profile PRO
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring KEY
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac
crypto ipsec profile vpnv2
set security-association replay window-size 1024
set transform-set ESP-AES-256-MD5
set pfs group5
set ikev2-profile PRO
Obviously this configuration is for pre shared key, to switch it to RSA you just need to change setting in the profile.
What you should be cautious about is sharing IKEv1 and IKEv2 on same source interfaces, if you can use a different tunnel source for IKEv1 and IKEv2 this would be ideal for software version which might be a bit older.
M.
02-03-2014 11:38 PM
Hi Marcin,
thanks for your answer.
You say : "Obviously this configuration is for pre shared key, to switch it to RSA you just need to change setting in the profile."... and what about "crypto ikev2 keyring KEY", we are forced to use "pre-shared-key" here ?
+ in my original configuration, I use "crypto isakmp identity dn", I can't see it on your configuration ?
thanks
nicolas
02-04-2014 12:44 AM
NIcolas,
As mentioned, you need to change settings in IKEv2 profile to exchieve similar result.
For example
crypto ikev2 profile cert_profile
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint TEST
identity local dn !or fqdn?
match identity remote ...
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide