The IKEv2 Policy (not the authorization policy) can be used to set the IKEv2 proposal.
crypto ikev2 policy policy2 match vrf fvrf match local address 10.0.0.1 proposal proposal-1
However, I have a hard time understanding how ikev2 policy is associated with a specific ikev2 profile because the policy name is not referenced anywhere in the running-config. What does the "match local address" do? Is it the tunnel source? If I have 2 VPN tunnels, both on the same VRF and same tunnel source (the WAN interface) and I only want 1 to use non-default policy. How should I config it?
You don't associate the IKEv2 Policy with the IKEv2 Profile. The IKEv2 Proposal(s) is associated with the IKEv2 Policy, that's it. You can reference multiple Proposals within the IKEv2 Policy. E.g:-
crypto ikev2 proposal PROP-1
crypto ikev2 proposal PROP-2
crypto ikev2 policy IKEV2_POLICY
In your scenario if you configure the Hub with 2 proposals, associate those proposals within a IKEv2 Policy. Then on the remote routers assign the different proposals, as long as they match one of the proposals defined on the hub they will establish the IKEv2 SA.
When Cisco internally architected FlexVPN, the plan was to make possible a connection between the IPsec tunnel and the IKEv2 tunnel as follows:
- you have the IKEv2 proposal, which is attached to the IKEv2 policy, and in the policy you were supposed to be able to configure "match remote address"; by this you would be restricting a proposal/policy set to a specific remote peer
- yo have the IKEv2 profile where you can say "match identity remote" so you restrict the profile to a specific remote peer, and the IKEv2 profile is referenced in the IPsec profile
If the "match remote address" from IKEv2 policy and "match identity remote" from IKEv2 profile would be pointing to the same remote peer, you would be binding a specific IPsec config with a specific IKEv2 config.
However, the option is not there yet in the IKEv2 policy, per Cisco statements due to the fact that initially it was not developed and afterwards no customer faced an issue. My guess is that it's gonna show up at some point.
Thanks for the detailed response. The way that I see it, if the VPN peer has multiple peers using the same VRF. It will have trouble enforcing a certain cipher. I wonder what is the "match address local" used for?
Correct, if you have only one interface on your side; otherwise you may use the command you are asking for, in order to restrict a specific IKEv2 policy to a specific local interface ( so you have two IKEv2 policies and two interfaces and you bind each policy to an interface by that command).
Meaning that in tunnel mode the router only checks if the outer IP-header matches its IP official website interface and then unpacks it further correct? Meaning if you used tunnel mode the router wouldn't even have to perform any NAT since it uses the public IP configured as the peer destination address for the outer header.
What i said works the same way, regardless if we speak tunnel mode or transport model, as this is IPsec feature for the data plane; the restrictions i was speaking about have to do with the control-plane, with the actual build of the secure communication channels. NAT for IPsec, likewise is not related to this, as it would affect the data-plane as well.