Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2664
Views
10
Helpful
4
Replies

Route-based VPN using IKEV2 on ASR 1001X?

Go to solution
davinci
Level 1
Level 1

‎03-23-2021 07:10 PM

Is a route-based VPN using IKEv2 supported on ASR1001X?  If yes, can someone share a a basic config template or link for instructions? I'm having a hard time finding anything online for this scenario and specific requirements.

 

hash-sha256

authentication-PSK

group-14

lifteime-3600

encryption-aes 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-29-2021 11:24 PM

@davinci 

You can use either. If you use the ikev2 keyring you could specify different PSK per spoke/peer. Or if you defined the PSK under the ikev2 profile, then that PSK would apply to all connections.

 

HTH

View solution in original post

4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-23-2021 08:01 PM

Hi

 

You can check this link for examples:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16-6/sec-sec-for-vpns-w-ipsec-xe-16-6-book/sec-ipsec-virt-tunnl.html

 

Examples are based on ikev1 but you can change the crypto to be in ikev2.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-24-2021 02:04 AM - edited ‎03-24-2021 02:06 AM

@davinci 

Route-based IKEv2 VPNs on a Cisco router is referred to as FlexVPN.

 

The reference link below has guides with configuration for different scenarios.

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

Refer to this guide the information on the latest algorithms to use in the VPN

https://tools.cisco.com/security/center/resources/next_generation_cryptography

Go to solution
davinci
Level 1
Level 1
In response to Rob Ingram

‎03-29-2021 09:09 PM

Thanks for the links but something remains unclear.  If I want to use a pre-shared key with FlexVPN, then do I use the Keyring feature or the commands below under IKEv2 profile? 

 

crypto ikev2 keyring abc
peer x.x.x.x
address x.x.x.x
pre-shared-key XYZ

 

OR

 

crypto ikev2 profile testprofile
match identity remote address 1.1.1.1
identity local address abcd
authentication local pre-share ????
authentication remote pre-share ????

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-29-2021 11:24 PM

@davinci 

You can use either. If you use the ikev2 keyring you could specify different PSK per spoke/peer. Or if you defined the PSK under the ikev2 profile, then that PSK would apply to all connections.

 

HTH

Customers Also Viewed These Support Documents