IPsec IKEv2 Example
An example using IKEv2 would look similar to the configuration example shown in Table 6 and Table 7.
Table 6: IPsec IKEv2 Example—ASA1
|
1 |
Create and enter IKEv2 policy configuration mode. |
asa1(config)#crypto ikev2 policy 1 |
|
2 |
Configure an encryption method. |
asa1(config-ikev2-policy)#encryption aes |
|
3 |
Configure a hash method. |
asa1(config-ikev2-policy)#integrity sha |
|
4 |
Configure a Diffie-Hellman (DH) group. |
asa1(config-ikev2-policy)#group 2 |
|
5 |
Configure the Pseudo-Random Function (PRF). |
asa1(config-ikev2-policy)#prf sha |
|
6 |
Configure the IKE SA lifetime. |
asa1(config-ikev2-polocy)#lifetime seconds 86400 |
|
7 |
Enable IKEv2 on an interface. |
asa1(config)#crypto ikev2 enable outside |
|
8 |
Create an IKEv2 Proposal and enter proposal configuration mode. |
asa1(config)#crypto ipsec ikev2 ipsec-proposal ikev2-proposal |
|
9 |
Configure the IKEv2 proposal encryption method. |
asa1(config-ipsec-proposal)#protocol esp encryption aes |
|
10 |
Configure the IKEv2 proposal authentication method. |
asa1(config-ipsec-proposal)#protocol esp integrity sha-1 |
|
11 |
Create an access-list to specify the interesting traffic to be encrypted within the IPsec tunnel. |
asa1(config)# access-list ikev2-list extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 |
|
12 |
Specify the tunnel group type. |
asa1(config)#tunnel-group 10.10.10.2 type ipsec-l2l |
|
13 |
Enter IPsec tunnel attribute configuration mode. |
asa1(config)#tunnel-group 10.10.10.2 ipsec-attributes |
|
14 |
Configure the local IPsec tunnel pre-shared key or certificate trustpoint. |
asa1(config-tunnel-ipsec)#ikev2 local-authentication pre-shared-key this_is_a_key |
|
15 |
Configure the remote IPsec tunnel pre-shared key or certificate trustpoint. |
asa1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key this_is_a_key |
|
16 |
Create a crypto map and match based on the previously created ACL. |
asa1(config)#crypto map ikev2-map 1 match address ikev2-list |
|
17 |
Configure the peer IP address. |
asa1(config)#crypto map ikev2-map 1 set peer 10.10.10.2 |
|
18 |
Assign the previously created proposal. |
asa1(config)#crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal |
|
19 |
Apply the crypto map to an interface. |
asa1(config)#crypto map ikev2-map interface outside |
Table 7: IPsec IKEv2 Example—ASA2
|
1 |
Create and enter IKEv2 policy configuration mode. |
asa(config)#crypto ikev2 policy 1 |
|
2 |
Configure an encryption method. |
asa(config-ikev2-policy)#encryption aes |
|
3 |
Configure a hash method. |
asa(config-ikev2-policy)#integrity sha |
|
4 |
Configure a Diffie-Hellman (DH) group. |
asa(config-ikev2-policy)#group 2 |
|
5 |
Configure the Pseudo-Random Function (PRF). |
asa(config-ikev2-policy)#prf sha |
|
6 |
Configure the IKE SA lifetime. |
asa(config-ikev2-polocy)#lifetime seconds 86400 |
|
7 |
Enable IKEv2 on an interface. |
asa(config)#crypto ikev2 enable outside |
|
8 |
Create an IKEv2 Proposal and enter proposal configuration mode. |
asa(config)#crypto ipsec ikev2 ipsec-proposal ikev2-proposal |
|
9 |
Configure the IKEv2 proposal encryption method. |
asa(config-ipsec-proposal)#protocol esp encryption aes |
|
10 |
Configure the IKEv2 proposal authentication method |
asa(config-ipsec-proposal)#protocol esp integrity sha-1 |
|
11 |
Create an access-list to specify the interesting traffic to be encrypted within the IPsec tunnel. |
asa(config)# access-list ikev2-list extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 |
|
12 |
Specify the tunnel group type. |
asa(config)#tunnel-group 10.10.10.1 type ipsec-l2l |
|
13 |
Enter IPsec tunnel attribute configuration mode. |
asa(config)#tunnel-group 10.10.10.1 ipsec-attributes |
|
14 |
Configure the local IPsec tunnel pre-shared key or certificate trustpoint. |
asa(config-tunnel-ipsec)#ikev2 local-authentication pre-shared-key this_is_a_key |
|
15 |
Configure the remote IPsec tunnel pre-shared key or certificate trustpoint. |
asa(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key this_is_a_key |
|
16 |
Create a crypto map and match based on the previously created ACL. |
asa(config)#crypto map ikev2-map 1 match address ikev2-list |
|
17 |
Configure the peer IP address. |
asa(config)#crypto map ikev2-map 1 set peer 10.10.10.1 |
|
18 |
Assign the previously created proposal. |
asa(config)#crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal |
|
19 |
Apply the crypto map to an interface. |
asa(config)#crypto map ikev2-map interface outside |
Summary
As is obvious from the examples shown in this article, the configuration of IPsec can be long, but the thing to really remember is that none of this is really all that complex once the basics of how the connection established has been learned.
For those reading this article with little or no IPsec experience, focus on the fundamentals of how the connection is made, including more in-depth coverage that is not covered in this article.
The content of this article, at the very least, explains the basic concepts and furnishes some basic examples that can be used in further learning, either with physical ASAs or with programs such as GNS3, which allow for the emulation of ASA software.