Cisco Router IKE v2 Site to Site IPSec VPN Configuration - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Monday, September 11, 2017

Cisco Router IKE v2 Site to Site IPSec VPN Configuration

What is Differences between IKEv1 and IKE v2?
1. Different negotiation processes
− IKEv1
  • IKEv1 SA negotiation consists of two phases.
  • IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
  • IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
− IKEv2
  • Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.

2. Different authentication methods
- IKEv2 supports EAP authentication. IKEv2 can use an AAA server to remotely authenticate mobile and PC users and assign private addresses to these users. IKEv1 does not provide this function and must use L2TP to assign private addresses.

3. Different supports for IKE SA integrity algorithms
- IKE SA integrity algorithms are supported only in IKEv2.

4. Different implementations of DPD packet retransmission

- The retry-interval parameter is supported only in IKEv1. If the NGFW sends a DPD packet but receives no reply within the specified retry-interval, the device records a DPD failure event and retransmits a DPD packet. When the number of failure events reaches 5, both the IKE SA and IPSec SA are deleted. The IKE SA negotiation will be started again when the device has IPSec traffic to handle.

5. Different supports for manual lifetime settings
- In IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus or minus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manual settings in IKEv2.


IKEv2 Configuration Steps:
  1. Keyring
  2. Proposal
  3. Profile
  4. Policy
  5. ACL
  6. Transform Set
  7. Crypto Map (including Peer, ACL, and Transform Set)
  8. Apply to interface

1. Define IKEv2 Keyring

crypto ikev2 keyring customer-1
 peer customer1
  pre-shared-key cisco1234

2. Define IKEv2 Proposal

crypto ikev2 proposal Prop-customer1
 encryption aes-cbc-256
 integrity sha256
 group 19

3. Define IKEv2 Profiles

crypto ikev2 profile PROFILE-Customer1
 match identity remote address
 authentication local pre-share
 authentication remote pre-share
 keyring local customer-1

4. Define IKEv2 Policy

crypto ikev2 policy POL-Customer1
 proposal Prop-customer1

5. Define Cyrpto ACL

ip access-list extended VPNACL-Customer1
 permit ip host host
 permit ip host host

6. Define IPSecTransform SET

crypto ipsec transform-set TS-Customer1 esp-aes 256 esp-sha256-hmac

7. Define Crypto Map (including Peer, ACL, and Transform Set)

crypto map CMAP-Customer1 10 ipsec-isakmp
 set peer
 set security-association lifetime seconds 3600
 set transform-set TS-Customer1
 set pfs group19
 set ikev2-profile PROFILE-Customer1
 match address VPNACL-Customer1

8. Activate Crypto Map by add it to Router's Interface 

interface GigabitEthernet0/0/0
 ip address
 negotiation auto
 crypto map CMAP-Customer1


R-VPN1#sh ver
Cisco IOS XE Software, Version 16.04.02
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.4.2, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Thu 27-Apr-17 11:56 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE


R-TWN1-VPN1 uptime is 4 days, 50 minutes
Uptime for this control processor is 4 days, 53 minutes
System returned to ROM by Reload Command
System restarted at 11:32:04 EDT Thu Sep 1 2017
System image file is "bootflash:isr4200-universalk9_ias.16.04.08.SPA.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to
[email protected].

Suite License Information for Module:'esg'

Suite                 Suite Current         Type           Suite Next reboot
FoundationSuiteK9     None                  None           None

Technology Package License Information:

Technology    Technology-package           Technology-package
              Current       Type           Next reboot
appxk9           None             None             None
securityk9       securityk9       Permanent        securityk9
ipbase           ipbasek9         Permanent        ipbasek9

cisco ISR4221/K9 (1RU) processor with 1636344K/6147K bytes of memory.
Processor board ID FGL213893E9
2 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7086079K bytes of flash memory at bootflash:.
0K bytes of  at webui:.

Configuration register is 0x2102

Debug commands
deb crypto ikev2 packet
deb crypto ikev2 internal

Show commands
show crypto ikev2 sa detailed 
show crypto ipsec sa
show crypto session


No comments:

Post a Comment