FlexVPN site to site with RSA-Sig authentication of IKEv2
keyring is only used if we are using pre-shared keys in ikev2
! R1
conf t
no crypto pki trustpoint Trusted-CA
yes
crypto key zeroize rsa
yes
crypto key generate rsa modulus 1024 label r1.cbtnuggets.com
crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r1.cbtnuggets.com
fqdn r1.cbtnuggets.com
subject-name CN=r1,O=cbtnuggets.com
revocation-check none
exit
crypto pki authenticate Trusted-CA
crypto pki enroll Trusted-CA
crypto pki certificate map CMAP 10
issuer-name co cbtnuggets
exit
crypto ikev2 proposal IKEv2-Proposal
encryption aes-cbc-128
integrity sha1
group 5
exit
crypto ikev2 policy IKEv2-Policy
proposal IKEv2-Proposal
exit
crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA
exit
crypto ipsec transform-set Our-TSET esp-aes esp-sha-hmac
mode transport
crypto ipsec profile IPsec-Profile
set transform-set Our-TSET
set ikev2-profile IKEv2-Profile
exit
interface Tunnel0
ip unnumbered loop 0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 25.0.0.2
tunnel protection ipsec profile IPsec-Profile
ip ospf 1 area 0
end
! R2
conf t
no crypto pki trustpoint Trusted-CA
yes
crypto key zeroize rsa
yes
crypto key generate rsa modulus 1024 label r2.cbtnuggets.com
crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r2.cbtnuggets.com
fqdn r2.cbtnuggets.com
subject-name CN=r2,O=cbtnuggets.com
revocation-check none
exit
crypto pki authenticate Trusted-CA
crypto pki enroll Trusted-CA
crypto pki certificate map CMAP 10
issuer-name co cbtnuggets
exit
crypto ikev2 proposal IKEv2-Proposal
encryption aes-cbc-128
integrity sha1
group 5
exit
crypto ikev2 policy IKEv2-Policy
proposal IKEv2-Proposal
exit
crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA
exit
crypto ipsec transform-set Our-TSET esp-aes esp-sha-hmac
mode transport
exit
crypto ipsec profile IPsec-Profile
set transform-set Our-TSET
set ikev2-profile IKEv2-Profile
exit
interface Tunnel0
ip unnumbered loop 0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 15.0.0.1
tunnel protection ipsec profile IPsec-Profile
ip ospf 1 area 0
end
show crypto ikev2 sa
show crypto ikev2 sa detail
show crypto engine connections active
show ip route ospf
ping 10.1.1.1 source 10.2.2.2
No comments:
Post a Comment