FlexVPN
Config Simplification
|
15.3(3)M
|
The
FlexVPN Config Simplification feature simplifies IKEv2 configuration thereby
making the IKEv2 system manageable and scalable.
The
following commands were introduced or modified:
identity (IKEv2 keyring),
authentication, match (IKEv2 profile).
|
IKEv2 Site
to Site
|
15.1(1)T
15.2(4)S
15.1(1)SY
Cisco IOS XE Release 3.3S
|
IKEv2 is a
component of IP Security (IPsec) and is used for performing mutual
authentication and establishing and maintaining security associations (SAs).
The
following commands were introduced or modified:
aaa accounting (IKEv2
profile), address (IKEv2 keyring), authentication (IKEv2 profile), crypto ikev2
keyring, crypto ikev2 policy, crypto ikev2 profile, crypto ikev2 proposal,
description (IKEv2 keyring), dpd, encryption (IKEv2 proposal), hostname (IKEv2
keyring), group (IKEv2 proposal), identity (IKEv2 keyring), identity local,
integrity (IKEv2 proposal), ivrf, keyring, lifetime (IKEv2 profile), match
(IKEv2 profile), nat, peer, pki trustpoint, pre-shared-key (IKEv2 keyring),
proposal, virtual-template (IKEv2 profile), clear crypto ikev2 sa, clear crypto
ikev2 stat, clear crypto session, clear crypto ikev2 sa, debug crypto ikev2,
show crypto ikev2 diagnose error, show crypto ikev2 policy, show crypto ikev2
profile, show crypto ikev2 proposal, show crypto ikev2 sa, show crypto ikev2
session, show crypto ikev2 stats, show crypto session, show crypto
socket.
|
IKEv2 Dynamic Routing Support
|
15.6(3)M2
|
With IKEv2 static routing, route information is exchanged during initial session bring up. The IKEv2 Dynamic Routing Support feature enables exchange of route information even after a session is established. Changes in routing information such as new routes, addition or deletion of routes can be propagated from FlexVPN client to FlexVPN server. The route information is included in the IKEv2 information exchange messages.
The following commands were introduced or modified: crypto ikev2 route redistribute, route redistribute, show crypto ikev2 sa, show crypto session.
|
IPv6 Support
for IPsec and IKEv2
|
Cisco IOS XE Release 3.12S
|
This feature
allows IPv6 addresses to be added to IPsec and IKEv2 protocols.
The
following commands were introduced or modified:
address (IKEv2 keyring),
identity (IKEv2 keyring), identity local, match (IKEv2 policy), match (IKEv2
profile), show crypto ikev2 session, show crypto ikev2 sa, show crypto ikev2
profile, show crypto ikev2 policy, debug crypto condition, clear crypto ikev2
sa.
|
Suite-B
Support in IOS SW Crypto
|
15.1(2)T
Cisco IOS XE Release 3.7S
|
Suite-B
adds support for the SHA-2 family (HMAC variant) hash algorithm used to
authenticate packet data and verify the integrity verification mechanisms for
the IKEv2 proposal configuration. HMAC is a variant that provides an additional
level of hashing.
Suite-B
also allows the Elliptic Curve Digital Signature Algorithm (ECDSA) signature
(ECDSA-sig), as defined in RFC 4754, to be the authentication method for IKEv2.
Suite-B
requirements comprise of four user interface suites of cryptographic algorithms
for use with IKE and IPsec that are described in RFC 4869. Each suite is
consists of an encryption algorithm, a digital signature algorithm, a key
agreement algorithm, and a hash or message digest algorithm. See the
Configuring Security for VPNs with IPsec module for more information about
Cisco IOS Suite-B support.
The
following commands were introduced or modified:
authentication, group,
identity (IKEv2 profile), integrity, match (IKEv2 profile).
|
Support of
AES-GCM as an IKEv2 Cipher on IOS
|
15.4(2)T
Cisco IOS XE Release 3.12S
|
The
AES-GCM Support on IKEv2 feature describes the use of authenticated encryption
algorithms with the Encrypted Payload of the Internet Key Exchange version 2
(IKEv2) protocol by adding the Advanced Encryption Standard (AES) in
Galois/Counter Mode (AES-GCM).
The
following commands were introduced or modified:
encryption (IKEv2
proposal), prf, show crypto ikev2 proposal.
|
Tunnel
Mode Auto Selection
|
15.4(2)T
Cisco IOS XE Release 3.12S
|
The Tunnel
Mode Auto Selection feature eases the configuration and spares you about
knowing the responder’s details. This feature automatically applies the
tunneling protocol (GRE or IPsec) and transport protocol (IPv4 or IPv6) on the
virtual template as soon as the IKE profile creates the virtual access
interface.
The following commands were introduced or modified:
virtual-template (IKEv2
profile), show crypto ikev2 profile.
|