Pages

Thursday, January 28, 2016

FlexVPN Smart Defaults


! R1

ping 25.0.0.2 source 15.0.0.1

show crypto ikev2 proposal default

show crypto ikev2 policy default

show crypto ipsec transform-set default

show crypto ipsec profile default

conf t

crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha256
group 2
exit

do show crypto ikev2 proposal default

! reset the defaults

default crypto ikev2 proposal

do show crypto ikev2 proposal default

! customize the one R1 will use

crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192
integrity sha512 sha384 sha256
group 20 16 15 14
exit

do show crypto ikev2 proposal default

crypto ikev2 keyring Our-Keys
peer R2
address 25.0.0.2
identity address 25.0.0.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
exit
exit

crypto ikev2 profile default
match identity remote address 25.0.0.2
identity local address 15.0.0.1
authentication local pre-share
authentication remote pre-share
keyring local Our-Keys
lifetime 7200
exit

do show crypto ipsec transform-set

crypto ipsec transform-set default esp-gcm 256
exit

do show crypto ipsec transform-set

! ipsec profile

do show crypto ipsec profile default

crypto ipsec profile default
set pfs group20
exit

do show crypto ipsec profile default

int tun 5
tunnel mode ipsec ipv4
ip unnumbered loop 0
tunnel source e0/0
tunnel destination 25.0.0.2
ip ospf 1 area 0
tunnel protection ipsec profile default
end

! R2

conf t
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192
integrity sha512 sha384 sha256
group 20 16 15 14
exit

do show crypto ikev2 proposal default

do show crypto ikev2 policy default

crypto ikev2 keyring Our-Keys
peer R1
address 15.0.0.1
identity address 15.0.0.1
pre-shared-key local cisco123
pre-shared-key remote cisco123
exit
exit

crypto ikev2 profile default
match identity remote address 15.0.0.1
identity local address 25.0.0.2
authentication local pre-share
authentication remote pre-share
keyring local Our-Keys
lifetime 7200: this need not to be exactly same
exit

crypto ipsec transform-set default esp-gcm 256
exit

crypto ipsec profile default
set pfs group20
exit

int tun 5
tunnel mode ipsec ipv4
ip unnumbered loop 0
tunnel source e0/0
tunnel destination 15.0.0.1
ip ospf 1 area 0
tunnel protection ipsec profile default
end

show crypto ikev2 sa

show crypto ikev2 sa detail

conf t
crypto ikev2 dpd 60 2 on-demand
end

show crypto engine connections active

clear crypto ikev2 sa

show crypto ikev2 sa detail

show ip ospf neighbor

show ip route ospf

ping 10.1.1.1 source 10.2.2.2 repeat 1000

show crypto engine connections active



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)