Site-to-Site FlexVPN

Mark Mattix · ‎07-18-2013

I need to implement a site-to-site VPN connection. I currently use a crypto-map and IKEv1, I would like to upgrade to the newer IKEv2 for better performance and security. Would everyone suggest the FlexVPN option for a site-to-site connection? I have been reading this document http://www.cisco.com/en/US/products/ps12922/products_configuration_example09186a0080bed945.shtml Something I'm curious about is that in this document they do not state the encryptions to be used like in a crypto map and transform set. Is there now a standard encryption IKEv2 uses or do these still have to be configured?

I appreciate anyone's advice!

Mark Mattix · ‎07-18-2013

I did some more research and it looks like IKEv2 has default encryptions configured,

encryption aes-cbc-128 3des
integrity sha md5
group 5 2

If I wanted to change these defaults would I have to use the command, "crypto ikev2 proposal" and then change the various values there? I'm surprised Cisco's document that I listed above doesn't mention this.

Graham Bartlett · ‎07-20-2013

Hi Mark

You are correct, to change the IKEv2 defaults you can change the default proposal (or any proposal that you have configured).

This is detailed in the IOS config guide here;

http://www.cisco.com/en/US/partner/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-cfg-ikev2-flex.html#GUID-6F6D8166-508A-4669-9DDC-4FE7AE9B9939

For the IPSEC cryptographic algorithms these are defined in the transform set (just like crypto maps), but this is referenced in the IPSEC profile. The default IPSEC profile uses the default transform set. If you want to change the transform set you can, check the following example where I did;

http://www.cisco.com/en/US/products/ps12922/products_configuration_example09186a0080bee100.shtml

I hope that this answers your Q if not please let me know.

cheers