Supported from 9.7.1
1. Create Phase I policy
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
2. Enable IKEv2 on outside interface
crypto ikev2 enable outside
3. Create Phase II proposal
crypto ipsec ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
4. Create ipsec profile
crypto ipsec profile P2-AES256-SHA256-G14
set ikev2 ipsec-proposal AES256-SHA256
set pfs group14
5.Create tunnel interface
interface Tunnel1
nameif vpn1
ip address 169.254.254.253 255.255.255.252
tunnel source interface outside
tunnel destination 203.0.113.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile P2-AES256-SHA256-G14
6. Create tunnel-group
tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key Cisco123
ikev2 local-authentication pre-shared-key Cisco123
7. Add static route
route vpn1 192.168.2.0 255.255.255.0 169.254.254.254
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
2. Enable IKEv2 on outside interface
crypto ikev2 enable outside
3. Create Phase II proposal
crypto ipsec ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
4. Create ipsec profile
crypto ipsec profile P2-AES256-SHA256-G14
set ikev2 ipsec-proposal AES256-SHA256
set pfs group14
5.Create tunnel interface
interface Tunnel1
nameif vpn1
ip address 169.254.254.253 255.255.255.252
tunnel source interface outside
tunnel destination 203.0.113.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile P2-AES256-SHA256-G14
6. Create tunnel-group
tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key Cisco123
ikev2 local-authentication pre-shared-key Cisco123
7. Add static route
route vpn1 192.168.2.0 255.255.255.0 169.254.254.254
==============================
Troubleshooting:
1. Packet capture can be done on tunnel interface.
======Template================
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ipsec ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec profile P2-AES256-SHA256-G14
set ikev2 ipsec-proposal AES256-SHA256
set pfs group14
interface Tunnel1
nameif vpn1
ip address 169.254.254.253 255.255.255.252
tunnel source interface outside
tunnel destination 203.0.113.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile P2-AES256-SHA256-G14
tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key Cisco123
ikev2 local-authentication pre-shared-key Cisco123
route vpn1 192.168.2.0 255.255.255.0 169.254.254.254
Comments
Post a Comment