Step 1
|
enable
|
Enables
privileged EXEC mode.
|
Step 2
|
configure
terminal
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3
|
crypto ikev2 authorization
policy
policy-name
Device(config)# crypto ikev2 authorization policy policy1
|
Specifies the
IKEv2 authorization policy and enters IKEv2 authorization policy configuration
mode.
|
Step 4
|
aaa attribute list
list-name
Device(config-ikev2-author-policy)# aaa attribute list list1
|
Specifies an AAA attribute list.
Note
|
The AAA attribute list referred to in this command should be defined in global configuration mode.
|
|
Step 5
|
backup-gateway
string
Device(config-ikev2-author-policy)# backup-gateway gateway1
|
Allows you to
specify up to ten backup server names. This parameter is pushed to the client
via the nonstandard Cisco Unity configuration attribute. This parameter
specifies the backup servers that the client can use.
|
Step 6
|
banner
banner-text
Device(config-ikev2-author-policy)# banner This is IKEv2
|
Specifies the
banner. This parameter is sent to the client via the nonstandard Cisco Unity
configuration attribute.
|
Step 7
|
configuration url
url
Device(config-ikev2-author-policy)# configuration url http://www.cisco.com
|
Specifies the
configuration URL. This parameter is sent to the client via the nonstandard
Cisco FlexVPN configuration attribute. The client can use this URL to download
the configuration.
|
Step 8
|
configuration version
version
Device(config-ikev2-author-policy)# configuration version 2.4
|
Specifies the
configuration version. This parameter is sent to the client via the nonstandard
Cisco FlexVPN configuration attribute. This parameter is sent with the
configuration URL to specify the version that the client can download.
|
Step 9
|
def-domain
domain-name
Device(config-ikev2-author-policy)# def-domain cisco
|
Specifies the
default domain. This parameter is sent to the client via the nonstandard Cisco
Unity configuration attribute. This parameter specifies the default domain that
the client can use.
|
Step 10
|
dhcp {giaddr
ip-address |
server
{ip-address |
hostname} |
timeout
seconds}
Device(config-ikev2-author-policy)# dhcp giaddr 192.0.2.1
|
Specifies the
DHCP server to lease an IP address that is assigned to the remote access
client.
-
giaddr
ip-address —Specifies the gateway IP address
(giaddr).
-
server {ip-address |
hostname} —Specifies the IP address or hostname of
the DHCP server. The hostname is resolved during configuration.
-
timeout
seconds —Specifies the wait time in seconds for the
response from the DHCP server.
Note
|
You can specify only one
DHCP server. It is assumed that the DHCP server can be reached via the global
routing table, and therefore, the DHCP packets are forwarded to the global
routing table.
|
|
Step 11
|
[ipv6]
dns
primary-server [secondary-server]
Device(config-ikev2-author-policy)# dns 198.51.100.1 198.51.100.100
|
Specifies the
IP addresses of primary and secondary Domain Name Service (DNS) servers that
are sent to the client in the configuration reply.
-
ipv6 —(Optional) Specifies an IPv6 address for the
DNS server. To specify an IPv4 address, execute the command without this
keyword.
-
primary-server —IP address of the primary DNS
server.
-
secondary-server —(Optional) IP address of the
secondary DNS server.
|
Step 12
|
include-local-lan
Device(config-ikev2-author-policy)# include-local-lan
|
Includes local
LAN. This parameter is sent to the client via the nonstandard Cisco Unity
configuration attribute.
|
Step 13
|
ipsec flow-limit
number
Device(config-ikev2-author-policy)# ipsec flow-limit 12500
|
Specifies the
maximum number of IPsec SAs that an IKev2 dVTI session on the IKev2 responder
can have. The range is from 0 to 50000.
By default,
the command is disabled, and there is no limit on the number of IPsec flows per
dVTI session. A value of 0 will not allow any IPsec SAs.
|
Step 14
|
netmask
mask
Device(config-ikev2-author-policy)# netmask 255.255.255.0
|
Specifies the
netmask of the subnet from which the IP address is assigned to the client.
|
Step 15
|
pfs
Device(config-ikev2-author-policy)# pfs
|
Enables
Password Forward Secrecy (PFS). This parameter is sent to the client via the
nonstandard Cisco Unity configuration attribute. This parameter specifies
whether the client should use PFS.
|
Step 16
|
[ipv6]
pool
name
Device(config-ikev2-author-policy)# pool abc
|
Defines a
local IP address pool for assigning IP addresses to the remote access client.
-
ipv6 —(Optional) Specifies an IPv6 address pool. To
specify an IPv4 address, execute the command without this keyword..
-
name —Name of
the local IP address pool.
Note
|
The local IP address pool
must already be defined using the
ip local pool
command.
|
|
Step 17
|
route set {interface
interface | access-list {access-list-name | access-list-number | ipv6
access-list-name}}
Device(config-ikev2-author-policy)# route set interface
|
Specifies the route set parameters to the peer via configuration mode and allows running routing protocols such as Border
Gateway Protocol (BGP) over VPN.
-
interface —Specifies the route interface.
-
access-list —Specifies the route access list.
-
access-list-name —Access list name.
-
access-list-number —Standard access list number.
-
ipv6 —Specifies an IPv6 access list.
|
Step 18
|
route accept any
[tag
value] [distance
value]
Device(config-ikev2-author-policy)# route accept any tag 10
|
Filters the
routes received from the peer and specify the tag and metric values to install
these routes.
-
any —Accepts all routes received from the peer.
-
tag
value —(Optional) Specifies the tag ID for the
static routes added by IKEv2. The range is from 1 to 497777.
-
distance
value —(Optional) Specifies the distance for the
static routes added by IKEv2. The range is from 1 to 255.
|
Step 19
|
route redistribute
protocol [route-map
map-name]
Device(config-ikev2-author-policy)# route redistribute connected
|
Filters the routes received from the peer and specify the tag and metric values to install these routes.
-
protocol —Source protocol from which routes are redistributed. It can be one of the following keywords: connected or static.
-
route-map
map-name —(Optional) Route map that should be filtered to import routes from one source routing protocol to another routing protocol.
If a map name is not specified, all routes are redistributed.
|
Step 20
|
route set remote
{ipv4
ip-address
mask
|
ipv6
ip-address/mask}
Device(config-ikev2-author-policy)# route set remote ipv6 2001:DB8::1/32
|
Configures IP
addresses of inside networks.
|
Step 21
|
smartcard-removal-disconnect
Device(config-ikev2-author-policy)# smartcard-removal-disconnect
|
Enables
smartcard removal disconnect. This parameter is sent to the client via the
nonstandard Cisco Unity configuration attribute. This parameter specifies that
the client should terminate the session when the smart card is removed.
|
Step 22
|
split-dns
string
Device(config-ikev2-author-policy)# split-dns abc1
|
Allows you to
specify up to ten split domain names. This parameter is sent to the client via
the nonstandard Cisco Unity configuration attribute. This parameter specifies
the domain names that the client should use for private networks.
|
Step 23
|
session-lifetime
seconds
Device(config-ikev2-author-policy)# session-lifetime 1000
|
Specifies the
IKEv2 session lifetime.
|
Step 24
|
route set access-list
{acl-number |
[ipv6]
acl-name}
Device(config-ikev2-client-config-group)# route set access-list 110
|
Specifies the
subnets that are pushed to the remote peer via configuration mode.
-
acl-number —Access list number (ACL). The ACL
number can only be specified for an IPv4 ACL.
-
ipv6 —(Optional) Specifies an IPv6 access control
list (ACL). To specify an IPv4 attribute, execute the command without this
keyword.
-
acl-name —Access list name.
Note
|
You can only specify
standard, simple access lists for IPv4 addresses.
|
|
Step 25
|
wins
primary-server [secondary-server]
Device(config-ikev2-author-policy)# wins 203.0.113.1 203.0.113.115
|
Specifies the
internal Windows Internet Naming Service (WINS) server addresses that are sent
to the client in the configuration reply.
|
Step 26
|
end
Device(config-ikev2-author-policy)# end
|
Exits IKEv2
authorization policy configuration mode and returns to privileged EXEC mode.
|