Showing results for 
Search instead for 
Did you mean: 

How to select crypto ikev2 policy


The IKEv2 Policy (not the authorization policy) can be used to set the IKEv2 proposal. 


crypto ikev2 policy policy2
 match vrf fvrf
 match local address
 proposal proposal-1

However, I have a hard time understanding how ikev2 policy is associated with a specific ikev2 profile because the policy name is not referenced anywhere in the running-config. What does the "match local address" do? Is it the tunnel source? If I have 2 VPN tunnels, both on the same VRF and same tunnel source (the WAN interface) and I only want 1 to use non-default policy. How should I config it?

7 Replies 7

Rob Ingram
VIP Master VIP Master
VIP Master


You don't associate the IKEv2 Policy with the IKEv2 Profile. The IKEv2 Proposal(s) is associated with the IKEv2 Policy, that's it. You can reference multiple Proposals within the IKEv2 Policy. E.g:-


crypto ikev2 proposal PROP-1
encryption aes-cbc-256
integrity sha256
group 19
crypto ikev2 proposal PROP-2
encryption aes-gcm-128
prf sha256
group 19

crypto ikev2 policy IKEV2_POLICY
proposal PROP-1
proposal PROP-2

In your scenario if you configure the Hub with 2 proposals, associate those proposals within a IKEv2 Policy. Then on the remote routers assign the different proposals, as long as they match one of the proposals defined on the hub they will establish the IKEv2 SA.



HI ,

How to configure transform-set for different proposal ? can it be same for all ?

Cristian Matei



       When Cisco internally architected FlexVPN, the plan was to make possible a connection between the IPsec tunnel and the IKEv2 tunnel as follows:

               - you have the IKEv2 proposal, which is attached to the IKEv2 policy, and in the policy you were supposed to be able to configure "match remote address"; by this you would be restricting a proposal/policy set to a specific remote peer

               - yo have the IKEv2 profile where you can say "match identity remote" so you restrict the profile to a specific remote peer, and the IKEv2 profile is referenced in the IPsec profile


If the "match remote address" from IKEv2 policy and "match identity remote" from IKEv2 profile would be pointing to the same remote peer, you would be binding a specific IPsec config with a specific IKEv2 config.


However, the option is not there yet in the IKEv2 policy, per Cisco statements due to the fact that initially it was not developed and afterwards no customer faced an issue. My guess is that it's gonna show up at some point.



Cristian Matei.

Thanks for the detailed response. The way that I see it, if the VPN peer has multiple peers using the same VRF. It will have trouble enforcing a certain cipher. I wonder what is the "match address local" used for?



   Correct, if you have only one interface on your side; otherwise you may use the command you are asking for, in order to restrict a specific IKEv2 policy to a specific local interface ( so you have two IKEv2 policies and two interfaces and you bind each policy to an interface by that command).



Cristian Matei.


Meaning that in tunnel mode the router only checks if the outer IP-header matches its IP official website interface and then unpacks it further correct? Meaning if you used tunnel mode the router wouldn't even have to perform any NAT since it uses the public IP configured as the peer destination address for the outer header. 



    What i said works the same way, regardless if we speak tunnel mode or transport model, as this is IPsec feature for the data plane; the restrictions i was speaking about have to do with the control-plane, with the actual build of the secure communication channels. NAT for IPsec, likewise is not related to this, as it would affect the data-plane as well.



Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers