|
Command or Action |
Purpose |
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
-
Enter your password if prompted.
|
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode. |
|
crypto ikev2 profile profile-name
Example:
Router(config)# crypto ikev2 profile profile1
|
Defines an IKEv2 profile name and enters IKEv2 profile configuration mode. |
|
description line-of-description
Example:
Router(config-ikev2-profile)# description this is the an IKEv2 profile
|
(Optional) Describes the profile. |
|
aaa accounting [psk | cert | eap] list-name
Example:
Router(config-ikev2-profile)# aaa accounting eap list1
|
(Optional) Enables AAA accounting for IPsec sessions.
-
psk --AAA accounting method list for peers authenticating using preshared key authentication method.
-
cert --AAA accounting method list for peers authenticating using certificate authentication method.
-
eap --AAA accounting method list for peers authenticating using EAP authentication method.
-
list-name --The AAA list name.
Note |
If cert, psk, or eap keywords are not specified, the AAA accounting method list is used irrespective of the peer authentication method. |
|
|
aaa authentication eap list-name
Example:
Router(config-ikev2-profile)# aaa authentication eap list1
|
(Optional) Specifies AAA authentication list for EAP authentication when implementing the IKEv2 remote access server.
-
eap --Specifies the external EAP server.
-
list-name --Specifies the AAA authentication list name.
|
|
authentication {local {rsa-sig | pre-share | ecdsa-sig} | remote {eap [query-identity] | rsa-sig | pre-share | ecdsa-sig}
Example:
Router(config-ikev2-profile)# authentication local ecdsa-sig
|
Specifies the local or remote authentication method.
-
rsa-sig --Specifies RSA-sig as the authentication method.
-
pre-share --Specifies the preshared key as the authentication method.
-
ecdsa-sig --Specifies ECDSA-sig as the authentication method.
-
eap --Specifies EAP as the remote authentication method.
-
query-identity --Queries the EAP identity from the peer.
Note |
You can specify only one local authentication method but multiple remote authentication methods. |
|
|
aaa authorization {group | user} [cert | eap | psk] aaa-listname {aaa-username | name-mangler mangler-name}
Example:
Router(config-ikev2-profile)# aaa authorization group list1 cert abc name-mangler mangler1
|
Specifies an AAA method list and username for group or user authorization when implementing the IKEv2 remote access server.
-
group --Specifies group authorization. Both local and external AAA is supported for group authorization. The AAA method list defined in global configuration mode using the aaa authorization command specifies if the authorization is local or external AAA based.
-
user --User authorization. Supports external AAA only.
-
cert --AAA authorization method list and username for peers authenticating using certificates.
-
eap --AAA authorization method list and username for peers authenticating using EAP.
-
psk --AAA authorization method list and username for peers authenticating using preshared keys.
-
aaa-listname --AAA method list name.
-
aaa-username --AAA authorization name.
-
name-mangler --Name mangler that derives the AAA authorization username from the peer identity.
-
mangler-name --Globally defined mangler name.
Note |
If cert, psk, or eap keywords are not specified, the AAA authorization method list and username are used irrespective of the peer authentication method. |
|
|
config-mode set
Example:
Router(config-ikev2-profile)# config-mode set
|
(Optional) Enables sending the configuration mode set. The acceptance of config mode set is enabled by default. |
|
dpd interval retry-interval {on-demand | periodic}
Example:
Router(config-ikev2-profile)# dpd 1000 250 periodic
|
(Optional) Verifies that the IKE is live on the peers.
-
on-demand--Verifies if IKE is live on the peer by sending keepalive before sending data.
-
periodic--Verifies if IKE is live by sending keepalives at specified intervals.
|
|
identity local {address {ipv4-address | ipv6-address} | dn | email email-string | fqdn fqdn-string | key-id opaque-string}
Example:
Router(config-ikev2-profile)# identity local email abc@example.com
|
(Optional) Specifies the local IKEv2 identity type.
-
The local identity is used by the local IKEv2 peer to identify itself with the remote IKEv2 peers in the AUTH exchange using the IDi field:
-
address --IPv4 or IPv6 address.
-
dn --Distinguished name.
-
fqdn --Fully Qualified Domain Name. For example, router1.example.com.
-
email --E-mail ID. For example, xyz@example.com.
-
key-id --Key ID.
Note |
If the local authentication method is a preshared key, the default local identity is the IP address. If the local authentication method is rsa-signature, the default local identity is Distinguished Name. |
|
|
ivrf name
Example:
Router(config-ikev2-profile)# ivrf vrf1
|
(Optional) Specifies a user-defined VRF or global VRF, if an IKEv2 profile is attached to a crypto map. The inside VRF (IVRF) for the tunnel interface should be configured on the tunnel interface.
Note |
IVRF specifies the VRF for cleartext packets. The default value for IVRF is Forward VRF (FVRF). |
|
|
keyring [aaa] name
Example:
Router(config-ikev2-profile)# keyring keyring1
|
Specifies the local or AAA-based keyring that must be used with the local and remote preshared key authentication method.
-
aaa --AAA-based preshared keys list name.
-
name --Keyring name for the locally defined keyring or AAA method list for AAA-based keyring.
Note |
You can specify only one keyring. |
|
|
lifetime seconds
Example:
Router(config-ikev2-profile)# lifetime 10
|
Specifies the lifetime in seconds for the IKEv2 security association.
-
The range is from 120 to 86400 and the default lifetime is 86400 seconds.
|
|
match {address local {ipv4-address | ipv6-address} | interface name } | certificate certificate-map | fvrf {fvrf-name | any} | identity remote {address {ipv4-address [mask] | ipv6-address prefix} | email [domain] string | fqdn [domain] string | key-id opaque-string}
Example:
Router(config-ikev2-profile)# match address local interface Ethernet 2/0
|
Use the match statements to select an IKEv2 profile for a peer:
-
address --(optional) Based on local parameters that include the IPv4 address or IPv6 address and interface.
-
certificate --Based on fields in the certificate received from the peer.
-
fvrf --(optional) Based on a user-configured or any VRF. In the absence of a match vrf statement, the profile matches the global VRF. Configure the match vrf any command to match all VRFs.
-
identity --Based on the remote identity, the ID in AUTH exchange which is as follows:
-
address
-
email
-
fqdn
-
key-id
|
|
nat keepalive seconds
Example:
Router(config-ikev2-profile)# nat keepalive 500
|
(Optional) Enables NAT keepalive and specifies the duration.
-
The duration range is from 5 to 3600 seconds. NAT is disabled by default.
|
|
pki trustpoint trustpoint-label [sign | verify]
Example:
Router(config-ikev2-profile)# pki trustpoint tsp1 sign
|
Specifies the trustpoints for use with the RSA signature authentication method as follows:
-
sign --Use the certificate from the trustpoint to sign the AUTH payload sent to the peer.
-
verify --Use the certificate from the trustpoint to verify the AUTH payload received from the peer.
Note |
If the sign or verify keyword is not specified, the trustpoint is used for signing and verification. |
|
|
virtual-template number
Example:
Router(config-ikev2-profile)# virtual-template 125
|
(Optional) Specifies the virtual template for cloning a virtual access interface. |
|
end
Example:
Router(config-ikev2-profile)# end
|
Exits IKEv2 profile configuration mode and returns to privileged EXEC mode. |