Versions Compared

Version Old Version 2 New Version Current
Changes made by

Jean-luc KRIKER

Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IKEv2

config

Code Block
crypto engine enable
crypto call admission limit ike in-nego 50
crypto ikev2 fragmentation

proposal

Code Block
crypto ikev2 proposal IkeV2Proposal
 encryption aes-cbc-256
 integrity  sha256
 group      19 20 16
exit

crypto ikev2 proposal IkeV2ProposalGcm
 encryption aes-gcm-256
 prf        sha256
 group      19 20 16
exit

authorization policy

Code Block
crypto ikev2 authorization policy auth-pol-1-internet
 route accept any tag 11
 route set interface loopback 10011
exit
crypto ikev2 authorization policy auth-pol-1-mpls
 route accept any tag 12
 route set interface loopback 10012
exit

Policy

Code Block
crypto ikev2 policy IkeV2Policy
 match fvrf any
 proposal IkeV2Proposal
 proposal IkeV2ProposalGcm
exit
crypto ikev2 keyring IkeV2Keyring-1
 peer Hub_Massy_200_1
  pre-shared-key remote bjjaco9RvZkTS2gglfml8z7FR0Uz5Cze
  address 176.149.235.201
 exit
exit

Keyring

Code Block
crypto ikev2 keyring IkeV2Keyring-1
 peer Hub_Massy_200_1
  pre-shared-key remote bjjaco9RvZkTS2gglfml8z7FR0Uz5Cze
  address 176.149.235.201
 exit
exit

Profile

Code Block
crypto ikev2 profile Ikev2Profile-1-internet
 aaa authorization group local auth-pol-1-internet
 identity local email jlk-v600JLK1@internet.HandS.EKI_Customer.com
 authentication local pre-share
 authentication remote rsa-sig
 keyring local IkeV2Keyring-1
 lifetime 14600
 dpd 10 2 periodic
 match identity remote fqdn HandS.EKI_Customer.com
 pki trustpoint VPN_OA
exit
crypto ikev2 profile Ikev2Profile-1-mpls
 aaa authorization group local auth-pol-1-mpls
 identity local email jlk-v600JLK1@mpls.HandS.EKI_Customer.com
 authentication local pre-share
 authentication remote rsa-sig
 keyring local IkeV2Keyring-1
 lifetime 14600
 dpd 10 2 periodic
 match identity remote fqdn HandS.EKI_Customer.com
 pki trustpoint VPN_OA
exit

IPSec

Code Block
crypto ipsec security-association replay disable
crypto ipsec spi-prefix 8

Code Block
crypto ipsec transform-set AES-CBC-256-SHA-256
 esp-aes-256 esp-sha256-hmac
 mode transport
exit
crypto ipsec transform-set ESP-GCM-256
 esp-gcm-256
 mode        transport
exit

Code Block
crypto ipsec profile Ikev2IpsecProfile-1-internet
 set pfs group20
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 3600
 set ikev2-profile Ikev2Profile-1-internet
 set transform-set ESP-GCM-256 AES-CBC-256-SHA-256
 set spi-group 1
exit
crypto ipsec profile Ikev2IpsecProfile-1-mpls
 set pfs group20
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 3600
 set ikev2-profile Ikev2Profile-1-mpls
 set transform-set ESP-GCM-256 AES-CBC-256-SHA-256
 set spi-group 1
exit

...