CSR with IKEv2 VPN and NAT

 

1. Review Smart Default IKEv2 settings.

sh crypto ikev2 proposal default

 IKEv2 proposal: default

     Encryption : AES-CBC-256

     Integrity  : SHA512 SHA384

     PRF        : SHA512 SHA384

     DH Group   : DH_GROUP_256_ECP/Group 19 DH_GROUP_2048_MODP/Group 14 DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5

2. Review Smart Default ipsec transform-set and profile

sh crypto ipsec transform-set default

{ esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

sh crypto ipsec profile default

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Mixed-mode : Disabled

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

3. Create a new transform-set with stronger ciphers

crypto ipsec transform-set AES256-SHA256 esp-256-aes esp-sha256-hmac

4.Create a IKEv2 keyring

crypto ikev2 keyring MyIKEv2KeyRing

 peer CSR3

  address 203.0.113.228

  pre-shared-key local Cisco123

  pre-shared-key remote Cisco123

5. Create IKEv2 Profile

specify local identity to use NATed IP, otherwise, it sends identity with private IP 192.168.1.2

crypto ikev2 profile IKEv2P1Profile

 match identity remote address 203.0.113.228 255.255.255.255

 identity local address 203.0.113.44

 authentication remote pre-share

 authentication local pre-share

 keyring local MyIKEv2KeyRing

6. Create a new IPSec profile

crypto ipsec profile IKEv2P2Profile
 set transform-set AES256-SHA256
 set pfs group14
 set ikev2-profile IKEv2P1Profile

7. Create tunnel interface

interface Tunnel1

 ip address 169.254.254.5 255.255.255.252

 tunnel source GigabitEthernet1

 tunnel mode ipsec ipv4

 tunnel destination 203.0.113.228

 tunnel protection ipsec profile IKEv2P2Profile