02-28-2020 04:50 PM
The IKEv2 Policy (not the authorization policy) can be used to set the IKEv2 proposal.
crypto ikev2 policy policy2 match vrf fvrf match local address 10.0.0.1 proposal proposal-1
However, I have a hard time understanding how ikev2 policy is associated with a specific ikev2 profile because the policy name is not referenced anywhere in the running-config. What does the "match local address" do? Is it the tunnel source? If I have 2 VPN tunnels, both on the same VRF and same tunnel source (the WAN interface) and I only want 1 to use non-default policy. How should I config it?
02-29-2020 03:14 AM
Hi,
You don't associate the IKEv2 Policy with the IKEv2 Profile. The IKEv2 Proposal(s) is associated with the IKEv2 Policy, that's it. You can reference multiple Proposals within the IKEv2 Policy. E.g:-
crypto ikev2 proposal PROP-1
encryption aes-cbc-256
integrity sha256
group 19
crypto ikev2 proposal PROP-2
encryption aes-gcm-128
prf sha256
group 19
crypto ikev2 policy IKEV2_POLICY
proposal PROP-1
proposal PROP-2
In your scenario if you configure the Hub with 2 proposals, associate those proposals within a IKEv2 Policy. Then on the remote routers assign the different proposals, as long as they match one of the proposals defined on the hub they will establish the IKEv2 SA.
HTH
09-29-2022 11:26 AM
HI ,
How to configure transform-set for different proposal ? can it be same for all ?
02-29-2020 05:47 AM
Hi,
When Cisco internally architected FlexVPN, the plan was to make possible a connection between the IPsec tunnel and the IKEv2 tunnel as follows:
- you have the IKEv2 proposal, which is attached to the IKEv2 policy, and in the policy you were supposed to be able to configure "match remote address"; by this you would be restricting a proposal/policy set to a specific remote peer
- yo have the IKEv2 profile where you can say "match identity remote" so you restrict the profile to a specific remote peer, and the IKEv2 profile is referenced in the IPsec profile
If the "match remote address" from IKEv2 policy and "match identity remote" from IKEv2 profile would be pointing to the same remote peer, you would be binding a specific IPsec config with a specific IKEv2 config.
However, the option is not there yet in the IKEv2 policy, per Cisco statements due to the fact that initially it was not developed and afterwards no customer faced an issue. My guess is that it's gonna show up at some point.
Regards,
Cristian Matei.
03-03-2020 09:27 AM
Thanks for the detailed response. The way that I see it, if the VPN peer has multiple peers using the same VRF. It will have trouble enforcing a certain cipher. I wonder what is the "match address local" used for?
03-03-2020 10:14 AM
Hi,
Correct, if you have only one interface on your side; otherwise you may use the command you are asking for, in order to restrict a specific IKEv2 policy to a specific local interface ( so you have two IKEv2 policies and two interfaces and you bind each policy to an interface by that command).
Regards,
Cristian Matei.
03-05-2020 12:30 AM - edited 03-05-2020 08:57 PM
Meaning that in tunnel mode the router only checks if the outer IP-header matches its IP official website interface and then unpacks it further correct? Meaning if you used tunnel mode the router wouldn't even have to perform any NAT since it uses the public IP configured as the peer destination address for the outer header.
03-05-2020 12:45 AM
Hi,
What i said works the same way, regardless if we speak tunnel mode or transport model, as this is IPsec feature for the data plane; the restrictions i was speaking about have to do with the control-plane, with the actual build of the secure communication channels. NAT for IPsec, likewise is not related to this, as it would affect the data-plane as well.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide