cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1347
Views
0
Helpful
4
Replies

Using IP Pool in IKEv2

kasunrajapakse
Level 1
Level 1

Hi Guys, 
Following is the IKEv2 setup I have (which works perfectly fine)
However, I would like to know how we can add an IP Pool to issue IP addresses during the IKE Phase (Phase 1)

The requirement is to have multiple spoke devices to establish an IPSec with the Hub.  Can someone please help me in this? 


crypto ikev2 proposal Proposal_HF_Test_AR
encryption 3des
integrity sha1
group 2

 

crypto ikev2 policy Policy_HF_Test_AR
match fvrf FVRF
match address local 62.x.x.x
proposal Proposal_HF_Test_AR

 

crypto ikev2 keyring Keyring_HF_Test_AR
peer Peer_Test_AR
address 81.x.x.x
pre-shared-key abc123
!


crypto ikev2 profile IKEv2_Profile_HF_Test_AR
match fvrf FVRF
match address local interface Loopback2
match address local 62.x.x.x
 match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local Keyring_HF_Test_AR

 

crypto ipsec transform-set TS_HF_Test_AR esp-3des esp-sha-hmac
mode tunnel

 

crypto ipsec profile IPsec_Profile_HF_Test_AR
set transform-set TS_HF_Test_AR
set pfs group2
set ikev2-profile IKEv2_Profile_HF_Test_AR
reverse-route

 

ip access-list extended IPSec_ACL_HF_Test_AR
10 permit ip 10.113.3.0 0.0.0.255 host 10.121.12.60
20 permit ip 10.113.3.0 0.0.0.255 host 10.121.36.250

 


interface Tunnel1
description IPSec HF_Test_AR
vrf forwarding hf_test_ar
ip unnumbered Port-channel1.1760
zone-member security HF_TEST_AR
tunnel source Loopback2
tunnel mode ipsec ipv4
tunnel destination 81.x.x.x
tunnel vrf FVRF
tunnel protection ipsec policy ipv4 IPSec_ACL_HF_Test_AR
tunnel protection ipsec profile IPsec_Profile_HF_Test_AR
end

4 Replies 4

Hi @Rob Ingram 
Many thanks for your reply. 

Does this mean, I would need to have a sperate authentication server?  As I didn't see any IP Pool in use? 


Thanks

@kasunrajapakse 

No, you can do local (on the router) or external authorisation (i.e. radius). The example I provide included information on using local authorisation.

Hi @Rob Ingram - Thanks, I am yet to test this service. I will get back to you once this has been applied. 
Thanks for your help as always!.