IKEv2 between two IOS routers (crypto map way)

ios-ikev2-ike

Up to now, we saw how to do IKEv2 tunnel between two ASA firewalls and IKEv2 tunnel between an ASA firewall and an IOS router. We have solid knowledge about this IKEv2 stuff and because of that, this article will be a short one. We will configure two IOS routers to establish IKEv2 tunnel using “the old way” or crypto maps. Here is our topology:

 

29-Jan-2015 1-17-35 PM

If we did our jobs with previous two articles, then there is no need to do any explanations in this blog. We may use the configuration from ROUTER-B from our previous blog post, change it to be a mirror with regard to crypto domain, routing and so on, and use it for ROUTER-A. Down bellow  are our configurations. We can just paste them in. This way of configuring routers is called the old way or crypto map way, because it is using crypto maps to hold all parameters together. This crypto map is tied to an outside interface. The other way is modern way, and is using tunnel interfaces or SVTI. More about this in the next blog post.

ROUTER-A:

!
hostname ROUTER-A
!
crypto ikev2 proposal IKEv2_PROPOSAL
encryption aes-cbc-256
integrity sha512
group 5
!
crypto ikev2 policy IKEv2_POLICY
proposal IKEv2_PROPOSAL
!
crypto ikev2 keyring IKEv2_KEYRING
peer ROUTER-B
address 1.1.1.2
pre-shared-key local keya-b
pre-shared-key remote keyb-a
!
crypto ikev2 profile IKEv2_PROFILE
match identity remote address 1.1.1.2 255.255.255.255
identity local address 1.1.1.1
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING
!
crypto ipsec transform-set IPSEC_TSET1 esp-aes 256 esp-sha-hmac
!
crypto map IKEv2_MAP 1000 ipsec-isakmp
set peer 1.1.1.2
set transform-set IPSEC_TSET1
set ikev2-profile IKEv2_PROFILE
match address COMPANY_A_B_CRYPTO
!
interface FastEthernet0/0
description ===== INSIDE INTERFACE =====
ip address 10.100.1.1 255.255.255.252
no shutdown
!
interface FastEthernet2/0
description ===== OUTSIDE INTERFACE =====
ip address 1.1.1.1 255.255.255.0
crypto map IKEv2_MAP
no shutdown
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
ip access-list extended COMPANY_A_B_CRYPTO
permit ip 10.100.1.0 0.0.0.3 10.100.2.0 0.0.0.3
!
end

 

ROUTER-B:

!
hostname ROUTER-B
!
crypto ikev2 proposal IKEv2_PROPOSAL
encryption aes-cbc-256
integrity sha512
group 5
!
crypto ikev2 policy IKEv2_POLICY
proposal IKEv2_PROPOSAL
!
crypto ikev2 keyring IKEv2_KEYRING
peer ROUTER-A
address 1.1.1.1
pre-shared-key local keyb-a
pre-shared-key remote keya-b
!
crypto ikev2 profile IKEv2_PROFILE
match identity remote address 1.1.1.1 255.255.255.255
identity local address 1.1.1.2
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING
!
crypto ipsec transform-set IPSEC_TSET1 esp-aes 256 esp-sha-hmac
!
crypto map IKEv2_MAP 1000 ipsec-isakmp
set peer 1.1.1.1
set transform-set IPSEC_TSET1
set ikev2-profile IKEv2_PROFILE
match address COMPANY_B_A_CRYPTO
!
interface FastEthernet0/0
description ===== OUTSIDE INTERFACE =====
ip address 1.1.1.2 255.255.255.0
crypto map IKEv2_MAP
no shutdown
!
interface FastEthernet2/0
description ===== INSIDE INTERFACE =====
ip address 10.100.2.2 255.255.255.252
no shutdown
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip access-list extended COMPANY_B_A_CRYPTO
permit ip 10.100.2.0 0.0.0.3 10.100.1.0 0.0.0.3
!
end

 

Advertisements
This entry was posted in Cisco, IOS, VPN and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s