cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
442
Views
0
Helpful
2
Replies
Highlighted
Beginner

IOS: Forced use of IKEv2.

The settings are performed between two cisco 3925e v.15.6 (3) .M5

When I try to raise a VTI IPSec tunnel using IKEv2, the first phase is raised using isakmp (IKEv1).

#show crypto isakmp sa detail | i 192.168.254.119
1009  192.168.254.118 192.168.254.119        ACTIVE aes  sha256 psk  5  01:48:52 D

To refuse from isakmp there is no possibility. VRF is not used (and as far as I understand it will not solve the problem).

Can I prioritize IKEv2 higher than IKEv1? Or tie a certain "ikev2 policy" to a specific tunnel?

Config (truncated):

R1:

crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 5
 lifetime 7200

crypto ikev2 proposal GCM256
 encryption aes-gcm-256
 prf sha256
 group 19

crypto ikev2 policy GCM256
 match address local 192.168.254.118
 proposal GCM256

crypto ikev2 keyring INNER
 peer INNER-SITE
  description === INNER-SITE ===
  address 192.168.254.119
  pre-shared-key 123123

crypto ikev2 profile INNER
 description === INNER ===
 match identity remote any
 authentication local pre-share
 authentication remote pre-share
 keyring local INNER
 lifetime 7200

crypto ipsec transform-set GCM256 esp-gcm 256
 mode tunnel

crypto ipsec profile GCM256
 set transform-set GCM256
 set pfs group19

interface Tunnel0
 ip address 10.0.0.2 255.255.255.252
 tunnel source 192.168.254.118
 tunnel mode ipsec ipv4
 tunnel destination 192.168.254.119
 tunnel protection ipsec profile GCM256

R2:

crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 5
 lifetime 7200

crypto ikev2 proposal GCM256
 encryption aes-gcm-256
 prf sha256
 group 19

crypto ikev2 policy GCM256
 match address local 192.168.254.119
 proposal GCM256

crypto ikev2 keyring INNER
 peer INNER-SITE
  description === INNER-SITE ===
  address 192.168.254.118
  pre-shared-key 123123

crypto ikev2 profile INNER
 description === INNER ===
 match identity remote any
 authentication local pre-share
 authentication remote pre-share
 keyring local INNER
 lifetime 7200

crypto ipsec transform-set GCM256 esp-gcm 256
 mode tunnel

crypto ipsec profile GCM256
 set transform-set GCM256
 set pfs group19

interface Tunnel0
 ip address 10.0.0.1 255.255.255.252
 tunnel source 192.168.254.119
 tunnel mode ipsec ipv4
 tunnel destination 192.168.254.118
 tunnel protection ipsec profile GCM256
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Hi,

You should reference the IKEv2 Profile in the IPSec profile, e.g:-

 

crypto ipsec profile GCM256
set ikev2-profile INNE

 HTH

View solution in original post

2 REPLIES 2
Highlighted
VIP Mentor

Hi,

You should reference the IKEv2 Profile in the IPSec profile, e.g:-

 

crypto ipsec profile GCM256
set ikev2-profile INNE

 HTH

View solution in original post

Highlighted

Thank you, RJI.

I tried it before, but it did not work for me. I tried again, but it did not work until I made "sh" & "no sh" on the interface.