Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
871
Views
0
Helpful
2
Replies

IKEv2 Tunnel

SathishkumarSaravanan0348
Level 1
Level 1

‎07-18-2019 06:15 AM - edited ‎02-21-2020 09:42 PM

Hello All,

 

I have an couple of doubts in the below configuration for IKEv2 tunnel.

 

Please find the below output for policy in IKEv2:

 

crypto ikev2 policy ESI_CANADA_POLICY
match address local X.X.X.X
proposal ESI_CANADA_PROPOSAL
proposal BB&T-Proposal

 

Questions:

1. Whether we can add the different proposal in single policy. If yes what is the use?

2. In normal tutorial I learnt that we will add the proposal in the policy, but here I could see they are adding the local address statement. Anyway we will add the local address in the profile. What is the use of adding the local address in policy and as well as profile?

 

Thanks.

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎07-18-2019 06:52 AM

Hi,
I would say the answer to both your questions is "flexiblity".

 

You can define multiple proposal in the event one of the VPN peer devices does not support the algorithms used by other peers.

 

The "match address local" command could be used on a router if that device had multiple interfaces and you wanted to specify which proposal to use when establishing a tunnel sourced from the differen interfaces.  E.g:-

 

R3#show crypto ikev2 proposal
IKEv2 proposal: PROP-1
Encryption : AES-CBC-256
Integrity : SHA256
PRF : SHA256
DH Group : DH_GROUP_256_ECP/Group 19

IKEv2 proposal: PROP-2
Encryption : AES-CBC-192
Integrity : SHA256
PRF : SHA256
DH Group : DH_GROUP_3072_MODP/Group 15

 

R3#show crypto ikev2 policy

IKEv2 policy : POL_1
Match fvrf : global
Match address local : 2.2.2.10
Proposal : PROP-1

IKEv2 policy : POL_2
Match fvrf : global
Match address local : 2.2.2.20
Proposal : PROP-2

 

R3#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
2 2.2.2.20/500 1.1.1.1/500 none/BLUE READY
Encr: AES-CBC, keysize: 192, PRF: SHA256, Hash: SHA256, DH Grp:15, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/267 sec

Tunnel-id Local Remote fvrf/ivrf Status
1 2.2.2.10/500 1.1.1.1/500 none/RED READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/267 sec

Notice the different Keysize and DH Group established between the 2 peers, proving IKEv2 SA established using different proposals.

 

Normally if you control all of the VPN peer routers then you would define 1 proposal with only the algorithms you wish to use, to keep the configuration consistent and simple.


HTH

0 Helpful

SathishkumarSaravanan0348
Level 1
Level 1
In response to Rob Ingram

‎07-18-2019 10:57 PM

Thanks for the response.
0 Helpful
Customers Also Viewed These Support Documents