Step 1 |
enable
Example:
|
Enables
privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3 |
crypto ikev2 profile
profile-name
Example:
Device(config)# crypto ikev2 profile profile1
|
Defines an
IKEv2 profile and enters IKEv2 profile configuration mode.
|
Step 4 |
description
line-of-description
Example:
Device(config-ikev2-profile)# description This is an IKEv2 profile
|
(Optional)
Describes the profile.
|
Step 5 |
aaa
accounting {psk |
cert |
eap}
list-name
Example:
Device(config-ikev2-profile)# aaa accounting eap list1
|
(Optional)
Enables authentication, authorization, and accounting (AAA) accounting method
lists for IPsec sessions.
Note
| If the
psk,
cert, or
eap keyword is not specified, the AAA accounting
method list is used irrespective of the peer authentication method.
|
|
Step 6 |
authentication {local {rsa-sig |
pre-share [key {0 |
6}
password}] |
ecdsa-sig |
eap
[gtc |
md5
|
ms-chapv2] [username
username] [password {0 |
6}
password}]} |
remote {eap [query-identity |
timeout
seconds] |
rsa-sig |
pre-share [key {0 |
6}
password}] |
ecdsa-sig}}
Example:
Device(config-ikev2-profile)# authentication local ecdsa-sig
|
Specifies the
local or remote authentication method.
-
rsa-sig—Specifies RSA-sig as the authentication
method.
-
pre-share—Specifies the preshared key as the
authentication method.
-
ecdsa-sig—Specifies ECDSA-sig as the
authentication method.
-
eap—Specifies
EAP as the remote authentication method.
-
query-identity—Queries the EAP identity from the
peer.
-
timeout
seconds—Specifies the duration, in seconds, to
wait for the next IKE_AUTH request after sending the first IKE_AUTH response.
Note
| You can specify only one
local authentication method but multiple remote authentication methods.
|
|
Step 7 |
dpd
interval
retry-interval
{on-demand |
periodic}
Example:
Device(config-ikev2-profile)# dpd 1000 250 periodic
|
(Optional)
Configures Dead Peer Detection (DPD) globally for peers matching the profile.
Note
| DPD is disabled by default.
|
|
Step 8 |
identity
local
{address
{ipv4-address |
ipv6-address} |
dn |
email
email-string
|
fqdn
fqdn-string
|
key-id
opaque-string}
Example:
Device(config-ikev2-profile)# identity local email abc@example.com
|
(Optional)
Specifies the local IKEv2 identity type.
Note
| If the local authentication
method is a preshared key, the default local identity is the IP address. If the
local authentication method is a Rivest, Shamir, and Adleman (RSA) signature,
the default local identity is a Distinguished Name.
|
|
Step 9 | initial-contact force
Example:
Device(config-ikev2-profile)# initial-contact force
|
Enforces
initial contact processing if the initial contact notification is not received
in the IKE_AUTH exchange.
|
Step 10 |
ivrf
name
Example:
Device(config-ikev2-profile)# ivrf vrf1
|
(Optional)
Specifies a user-defined VPN routing and forwarding (VRF) or global VRF if the
IKEv2 profile is attached to a crypto map.
Note
| IVRF specifies the VRF for
cleartext packets. The default value for IVRF is FVRF.
|
|
Step 11 |
keyring {local
keyring-name | aaa
list-name [name-mangler
mangler-name |
password
password ] }
Example:
Device(config-ikev2-profile)# keyring aaa keyring1 name-mangler mangler1
|
Specifies the local or AAA-based key ring that must be used with the local and remote preshared key authentication method.
Note
| You can specify only one key ring. Local AAA is not supported for AAA-based preshared keys. |
Note
| Depending on your release, the local keyword and the name-mangler
mangler-name keyword-argument pair should be used. |
Note
| When using AAA, the default password for a Radius access request is "cisco". You can use the password keyword within the keyring command to change the password. |
|
Step 12 |
lifetime
seconds
Example:
Device(config-ikev2-profile)# lifetime 1000
|
Specifies the
lifetime, in seconds, for the IKEv2 SA.
|
Step 13 |
match {address
local {ipv4-address
|
ipv6-address |
interface
name} |
certificate
certificate-map
|
fvrf {fvrf-name
|
any} |
identity
remote
address
{ipv4-address
[mask] |
ipv6-address
prefix} | {email [domain
string] |
fqdn
[domain
string]}
string |
key-id
opaque-string}
Example:
Device(config-ikev2-profile)# match address local interface Ethernet 2/0
|
Uses match
statements to select an IKEv2 profile for a peer.
|
Step 14 |
nat keepalive
seconds
Example:
Device(config-ikev2-profile)# nat keepalive 500
|
(Optional)
Enables NAT keepalive and specifies the duration in seconds.
|
Step 15 |
pki trustpoint
trustpoint-label
[sign |
verify]
Example:
Device(config-ikev2-profile)# pki trustpoint tsp1 sign
|
Specifies
Public Key Infrastructure (PKI) trustpoints for use with the RSA signature
authentication method.
Note
| If the
sign or
verify
keyword is not specified, the trustpoint is used for signing and verification.
|
Note
| In contrast to IKEv1, a
trustpoint must be configured in an IKEv2 profile for certificate-based
authentication to succeed. There is no fallback for globally configured
trustpoints if this command is not present in the configuration. The trustpoint
configuration applies to the IKEv2 initiator and responder.
|
|
Step 16 |
redirect gateway
auth
Example:
Device(config-ikev2-profile)# redirect gateway auth
| Enables the
redirect mechanism on the gateway on SA authentication.
Note
| The redirect mechanism is
specific to the IKEv2 profiles.
|
|
Step 17 |
virtual-template
number
mode
auto
Example:
Device(config-ikev2-profile)# virtual-template 1 mode auto
| (Optional)
Specifies the virtual template for cloning a virtual access interface (VAI).
- mode auto—Enables the tunnel mode auto selection
feature.
Note
| For the IPsec Dynamic
Virtual Tunnel Interface (DVTI), a virtual template must be specified in an
IKEv2 profile, without which an IKEv2 session is not initiated.
|
|
Step 18 |
shutdown
Example:
Device(config-ikev2-profile)# shutdown
| (Optional)
Shuts down the IKEv2 profile.
|
Step 19 |
end
Example:
Device(config-ikev2-profile)# end
| Exits IKEv2
profile configuration mode and returns to privileged EXEC mode.
|