Step 1
|
enable
|
Enables the privileged EXEC mode. Enter your password, if prompted.
|
Step 2
|
configure terminal
Device# configure terminal
|
Enters the global configuration mode.
|
Step 3
|
crypto ikev2 profile
profile-name
Device(config)# crypto ikev2 profile profile1
|
Defines an IKEv2 profile and enters the IKEv2 profile configuration mode.
|
Step 4
|
description
line-of-description
Device(config-ikev2-profile)# description This is an IKEv2 profile
|
(Optional) Describes the profile.
|
Step 5
|
aaa accounting {psk | cert |
eap} list-name
Device(config-ikev2-profile)# aaa accounting eap list1
|
(Optional) Enables authentication, authorization, and accounting (AAA) method lists for IPsec sessions.
Note
|
If the
psk , cert , or
eap keyword is not specified, the AAA accounting
method list is used irrespective of the peer authentication method.
|
|
Step 6
|
authentication {local {rsa-sig |
pre-share [key {0 | 6}
password}] | ecdsa-sig | eap
[gtc | md5 | ms-chapv2]
[username
username] [password {0 | 6}
password}]} | remote {eap
[query-identity | timeout
seconds] | rsa-sig | pre-share
[key {0 | 6} password}] |
ecdsa-sig}}
Device(config-ikev2-profile)# authentication local ecdsa-sig
|
Specifies the local or remote authentication method.
-
rsa-sig —Specifies RSA-sig as the
authentication method.
-
pre-share —Specifies the preshared key as
the authentication method.
-
ecdsa-sig —Specifies ECDSA-sig as the
authentication method.
-
eap —Specifies EAP as the remote
authentication method.
-
query-identity —Queries the EAP identity
from the peer.
-
timeout
seconds —Specifies the duration, in seconds,
to wait for the next IKE_AUTH request after sending the first
IKE_AUTH response.
Note
|
You can specify only one
local authentication method but multiple remote authentication methods.
|
|
Step 7
|
dpd
interval
retry-interval {on-demand |
periodic}
Device(config-ikev2-profile)# dpd 30 6 on-demand
|
This step is optional. Configures Dead Peer Detection (DPD) globally for
peers matching the profile. By default, the Dead Peer Detection (DPD) is
disabled.
|
Step 8
|
dynamic
Device(config-ikev2-profile)# dynamic
|
Configures a dynamic IKEv2 profile.
Note
|
When you configure a dynamic profile, you cannot configure local or remote authentication and identity using the command line
interface.
|
|
Step 9
|
identity
local
{address
{ipv4-address | ipv6-address } |
dn | email
email-string | fqdn
fqdn-string |
key-id
opaque-string }
Device(config-ikev2-profile)# identity local email abc@example.com
|
This is an optional step. Specifies the local IKEv2 identity type.
Note
|
If the local authentication
method is a preshared key, the default local identity is the IP address. If
the local authentication method is a Rivest, Shamir, and Adleman (RSA)
signature, the default local identity is a Distinguished Name.
|
|
Step 10
|
initial-contact force
Device(config-ikev2-profile)# initial-contact force
|
Enforces initial contact processing if the initial contact notification is
not received in the IKE_AUTH exchange.
|
Step 11
|
ivrf
name
Device(config-ikev2-profile)# ivrf vrf1
|
This is an optional step. Specifies a user-defined VPN routing and forwarding
(VRF) or global VRF if the IKEv2 profile is attached to a crypto map.
Note
|
IVRF specifies the VRF for
cleartext packets. The default value for IVRF is FVRF.
|
|
Step 12
|
keyring {local
keyring-name | aaa
list-name [name-mangler
mangler-name |
password
password ] }
Device(config-ikev2-profile)# keyring aaa keyring1 name-mangler mangler1
|
Specifies the local or AAA-based key ring that must be used with the local
and remote preshared key authentication method.
Note
|
You can specify only one
key ring. Local AAA is not supported for AAA-based preshared keys.
|
Note
|
When using AAA, the default password for a Radius access request is
"cisco". You can use the password keyword within
the keyring command to change the password.
|
|
Step 13
|
lifetime
seconds
Device(config-ikev2-profile)# lifetime 1000
|
Specifies the lifetime, in seconds, for the IKEv2 SA.
|
Step 14
|
match {address
local {ipv4-address |
ipv6-address |
interface
name } |
certificate
certificate-map |
fvrf {fvrf-name |
any } | identity
remote
address {ipv4-address
[mask ] | ipv6-address
prefix } | {email [domain
string] | fqdn [domain
string]}
string | key-id
opaque-string }
Device(config-ikev2-profile)# match address local interface Ethernet 2/0
|
Uses match statements to select an IKEv2 profile for a peer.
|
Step 15
|
pki trustpoint
trustpoint-label [sign | verify]
Device(config-ikev2-profile)# pki trustpoint tsp1 sign
|
Specifies Public Key Infrastructure (PKI) trustpoints for use with the RSA
signature authentication method.
Note
|
If the
sign or verify
keyword is not specified, the trustpoint is used for signing and
verification.
|
Note
|
In contrast to IKEv1, a
trustpoint must be configured in an IKEv2 profile for certificate-based
authentication to succeed. There is no fallback for globally configured
trustpoints if this command is not present in the configuration. The
trustpoint configuration applies to the IKEv2 initiator and responder.
|
|
Step 16
|
virtual-template
number
mode auto
Device(config-ikev2-profile)# virtual-template 1 mode auto
|
This is an optional step. Specifies the virtual template for cloning a virtual access
interface (VAI).
|
Step 17
|
shutdown
Device(config-ikev2-profile)# shutdown
|
(Optional) Shuts down the IKEv2 profile.
|
Step 18
|
end
Device(config-ikev2-profile)# end
|
Exits the IKEv2 profile configuration mode and returns to the privileged EXEC
mode.
|