Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
0
Helpful
4
Replies

Using IP Pool in IKEv2

kasunrajapakse
Level 1
Level 1

‎07-26-2021 07:40 AM

Hi Guys, 
Following is the IKEv2 setup I have (which works perfectly fine)
However, I would like to know how we can add an IP Pool to issue IP addresses during the IKE Phase (Phase 1)

The requirement is to have multiple spoke devices to establish an IPSec with the Hub.  Can someone please help me in this? 


crypto ikev2 proposal Proposal_HF_Test_AR
encryption 3des
integrity sha1
group 2

 

crypto ikev2 policy Policy_HF_Test_AR
match fvrf FVRF
match address local 62.x.x.x
proposal Proposal_HF_Test_AR

 

crypto ikev2 keyring Keyring_HF_Test_AR
peer Peer_Test_AR
address 81.x.x.x
pre-shared-key abc123
!


crypto ikev2 profile IKEv2_Profile_HF_Test_AR
match fvrf FVRF
match address local interface Loopback2
match address local 62.x.x.x
 match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local Keyring_HF_Test_AR

 

crypto ipsec transform-set TS_HF_Test_AR esp-3des esp-sha-hmac
mode tunnel

 

crypto ipsec profile IPsec_Profile_HF_Test_AR
set transform-set TS_HF_Test_AR
set pfs group2
set ikev2-profile IKEv2_Profile_HF_Test_AR
reverse-route

 

ip access-list extended IPSec_ACL_HF_Test_AR
10 permit ip 10.113.3.0 0.0.0.255 host 10.121.12.60
20 permit ip 10.113.3.0 0.0.0.255 host 10.121.36.250

 


interface Tunnel1
description IPSec HF_Test_AR
vrf forwarding hf_test_ar
ip unnumbered Port-channel1.1760
zone-member security HF_TEST_AR
tunnel source Loopback2
tunnel mode ipsec ipv4
tunnel destination 81.x.x.x
tunnel vrf FVRF
tunnel protection ipsec policy ipv4 IPSec_ACL_HF_Test_AR
tunnel protection ipsec profile IPsec_Profile_HF_Test_AR
end

Labels:
0 Helpful
4 Replies 4

kasunrajapakse
Level 1
Level 1
In response to Rob Ingram

‎07-26-2021 08:57 AM - edited ‎07-26-2021 08:58 AM

Hi @Rob Ingram 
Many thanks for your reply. 

Does this mean, I would need to have a sperate authentication server?  As I didn't see any IP Pool in use? 


Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to kasunrajapakse

‎07-26-2021 09:07 AM

@kasunrajapakse 

No, you can do local (on the router) or external authorisation (i.e. radius). The example I provide included information on using local authorisation.

0 Helpful

kasunrajapakse
Level 1
Level 1
In response to Rob Ingram

‎07-28-2021 03:25 AM

Hi @Rob Ingram - Thanks, I am yet to test this service. I will get back to you once this has been applied. 
Thanks for your help as always!. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents