Step 1 |
enable
Example:
|
Enables
privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3 |
crypto ikev2 authorization
policy
policy-name
Example:
Device(config)# crypto ikev2 authorization policy policy1
|
Specifies the
IKEv2 authorization policy and enters IKEv2 authorization policy configuration
mode.
|
Step 4 | aaa attribute list
list-name
Example:
Device(config-ikev2-author-policy)# aaa attribute list list1
|
Specifies an AAA
attribute list.
Note
|
The AAA
attribute list referred to in this command should be defined in global
configuration mode.
|
|
Step 5 | backup-gateway
string
Example:
Device(config-ikev2-author-policy)# backup-gateway gateway1
|
Allows you to
specify up to ten backup server names. This parameter is pushed to the client
via the nonstandard Cisco Unity configuration attribute. This parameter
specifies the backup servers that the client can use.
|
Step 6 | banner
banner-text
Example:
Device(config-ikev2-author-policy)# banner This is IKEv2
|
Specifies the
banner. This parameter is sent to the client via the nonstandard Cisco Unity
configuration attribute.
|
Step 7 | configuration url
url
Example:
Device(config-ikev2-author-policy)# configuration url http://www.cisco.com
|
Specifies the
configuration URL. This parameter is sent to the client via the nonstandard
Cisco FlexVPN configuration attribute. The client can use this URL to download
the configuration.
|
Step 8 | configuration version
version
Example:
Device(config-ikev2-author-policy)# configuration version 2.4
|
Specifies the
configuration version. This parameter is sent to the client via the nonstandard
Cisco FlexVPN configuration attribute. This parameter is sent with the
configuration URL to specify the version that the client can download.
|
Step 9 | def-domain
domain-name
Example:
Device(config-ikev2-author-policy)# def-domain cisco
|
Specifies the
default domain. This parameter is sent to the client via the nonstandard Cisco
Unity configuration attribute. This parameter specifies the default domain that
the client can use.
|
Step 10 |
dhcp {giaddr
ip-address |
server
{ip-address |
hostname} |
timeout
seconds}
Example:
Device(config-ikev2-author-policy)# dhcp giaddr 192.0.2.1
|
Specifies the
DHCP server to lease an IP address that is assigned to the remote access
client.
-
giaddr
ip-address—Specifies the gateway IP address
(giaddr).
-
server {ip-address |
hostname}—Specifies the IP address or hostname of
the DHCP server. The hostname is resolved during configuration.
-
timeout
seconds—Specifies the wait time in seconds for the
response from the DHCP server.
Note
| You can specify only one
DHCP server. It is assumed that the DHCP server can be reached via the global
routing table, and therefore, the DHCP packets are forwarded to the global
routing table.
|
|
Step 11 |
[ipv6]
dns
primary-server [secondary-server]
Example:
Device(config-ikev2-author-policy)# dns 198.51.100.1 198.51.100.100
|
Specifies the
IP addresses of primary and secondary Domain Name Service (DNS) servers that
are sent to the client in the configuration reply.
-
ipv6—(Optional) Specifies an IPv6 address for the
DNS server. To specify an IPv4 address, execute the command without this
keyword.
-
primary-server—IP address of the primary DNS
server.
-
secondary-server—(Optional) IP address of the
secondary DNS server.
|
Step 12 | include-local-lan
Example:
Device(config-ikev2-author-policy)# include-local-lan
|
Includes local
LAN. This parameter is sent to the client via the nonstandard Cisco Unity
configuration attribute.
|
Step 13 | ipsec flow-limit
number
Example:
Device(config-ikev2-author-policy)# ipsec flow-limit 12500
|
Specifies the
maximum number of IPsec SAs that an IKev2 dVTI session on the IKev2 responder
can have. The range is from 0 to 50000.
By default,
the command is disabled, and there is no limit on the number of IPsec flows per
dVTI session. A value of 0 will not allow any IPsec SAs.
|
Step 14 |
netmask
mask
Example:
Device(config-ikev2-author-policy)# netmask 255.255.255.0
|
Specifies the
netmask of the subnet from which the IP address is assigned to the client.
|
Step 15 | pfs
Example:
Device(config-ikev2-author-policy)# pfs
|
Enables
Password Forward Secrecy (PFS). This parameter is sent to the client via the
nonstandard Cisco Unity configuration attribute. This parameter specifies
whether the client should use PFS.
|
Step 16 |
[ipv6]
pool
name
Example:
Device(config-ikev2-author-policy)# pool abc
|
Defines a
local IP address pool for assigning IP addresses to the remote access client.
-
ipv6—(Optional) Specifies an IPv6 address pool. To
specify an IPv4 address, execute the command without this keyword..
-
name—Name of
the local IP address pool.
Note
| The local IP address pool
must already be defined using the
ip local pool
command.
|
|
Step 17 | route set {interface
interface |
access-list {access-list-name |
access-list-number |
expanded-access-list-number |
ipv6
access-list-name}}
Example:
Device(config-ikev2-author-policy)# route set interface
|
Specifies the
route set parameters to the peer via configuration mode and allows running
routing protocols such as Border Gateway Protocol (BGP) over VPN.
-
interface—Specifies the route interface.
-
access-list—Specifies the route access list.
-
access-list-name—Access list name.
-
access-list-number—Standard access list number.
-
expanded-access-list-number—Expanded access list
number.
-
ipv6—Specifies an IPv6 access list.
|
Step 18 | route accept any
[tag
value] [distance
value]
Example:
Device(config-ikev2-author-policy)# route accept any tag 10
|
Filters the
routes received from the peer and specify the tag and metric values to install
these routes.
-
any—Accepts all routes received from the peer.
-
tag
value—(Optional) Specifies the tag ID for the
static routes added by IKEv2. The range is from 1 to 497777.
-
distance
value—(Optional) Specifies the distance for the
static routes added by IKEv2. The range is from 1 to 255.
|
Step 19 | route set remote
{ipv4
ip-address
mask
|
ipv6
ip-address/mask}
Example:
Device(config-ikev2-author-policy)# route set remote ipv6 2001:DB8::1/32
| Configures IP
addresses of inside networks.
|
Step 20 | smartcard-removal-disconnect
Example:
Device(config-ikev2-author-policy)# smartcard-removal-disconnect
|
Enables
smartcard removal disconnect. This parameter is sent to the client via the
nonstandard Cisco Unity configuration attribute. This parameter specifies that
the client should terminate the session when the smart card is removed.
|
Step 21 | split-dns
string
Example:
Device(config-ikev2-author-policy)# split-dns abc1
|
Allows you to
specify up to ten split domain names. This parameter is sent to the client via
the nonstandard Cisco Unity configuration attribute. This parameter specifies
the domain names that the client should use for private networks.
|
Step 22 | session-lifetime
seconds
Example:
Device(config-ikev2-author-policy)# session-lifetime 1000
|
Specifies the
IKEv2 session lifetime.
|
Step 23 |
route set access-list
{acl-number |
[ipv6]
acl-name}
Example:
Device(config-ikev2-client-config-group)# route set access-list 110
|
Specifies the
subnets that are pushed to the remote peer via configuration mode.
-
acl-number—Access list number (ACL). The ACL
number can only be specified for an IPv4 ACL.
-
ipv6—(Optional) Specifies an IPv6 access control
list (ACL). To specify an IPv4 attribute, execute the command without this
keyword.
-
acl-name—Access list name.
Note
| You can only specify
standard, simple access lists for IPv4 addresses.
|
|
Step 24 |
wins
primary-server [secondary-server]
Example:
Device(config-ikev2-author-policy)# wins 203.0.113.1 203.0.113.115
|
Specifies the
internal Windows Internet Naming Service (WINS) server addresses that are sent
to the client in the configuration reply.
|
Step 25 |
end
Example:
Device(config-ikev2-author-policy)# end
|
Exits IKEv2
authorization policy configuration mode and returns to privileged EXEC mode.
|