IKEv2 key features

This section explains the main attributes and constructs of IKEv2 protocols used for secure authentication and encryption in Cisco NCS network environments.

IKEv2 is a request and response encryption protocol that establishes and handles security associations (SA) in an authentication suite, such as OTNSec, to ensure secure traffic.

IKEv2 is defined in RFC 7296 and consists of the following constructs:

Keyring
IKEv2 profile
IKEv2 proposal
IKEv2 policy

Keyring

A keyring is a repository of symmetric and asymmetric pre-shared keys that is configured for a peer and identified using the IP address of the peer. The keyring is associated with an IKEv2 profile and therefore, caters to a set of peers that match the IKEv2 profile. This is a required configuration for the pre-shared keys authentication method that is used for NCS 1004.

Note

The certificate-based authentication that uses RSA signatures can be used instead of the keyring. If both methods of authentication are configured, the certificate-based authentication takes precedence. See IKEv2 certificate-based authentication.

IKEv2 profile

An IKEv2 profile is a repository of nonnegotiable parameters of the IKE SA, such as authentication method and services that are available to the authenticated peers that match the profile. The profile match lookup is done based on the IP address of the remote identity.

For security purposes, the IKE SAs have a lifetime that is defined in the IKEv2 profile. The lifetime range, in seconds, is from 120 to 86400. The SAs are rekeyed proactively before the expiry of the lifetime. The default lifetime is 86400.

An IKEv2 profile must be attached to an OTNSec configuration on the ODU controllers on both the IKEv2 initiator and responder. This is a required configuration.

IKEv2 proposal

An IKEv2 proposal is a collection of transforms that are used in the negotiation of IKE SAs as part of the IKE_SA_INIT exchange. The IKE2 proposal must be attached to an IKEv2 policy. This is an optional configuration. The transform types used in the negotiation are as follows:

Encryption algorithm
Integrity algorithm
Pseudo-Random Function (PRF) algorithm
Diffie-Hellman (DH) group

Note

The IKEv2 proposal must have at least one algorithm of each type. It is possible to specify multiple algorithms for each type; the order in which the algorithms are specified determines the precedence.

IKEv2 policy

IKEv2 employs policies that are configured on each peer to negotiate handshakes between the two peers. An IKEv2 policy contains proposals that are used to negotiate the encryption, integrity, PRF algorithms, and DH group in the SA_INIT exchange. An IKEv2 policy is selected based on the local IP address. This is an optional configuration.

Note

The default IKEv2 proposal is used with default IKEv2 policy in the absence of any user-defined policy.

How IKEv2 works

In this example, there are two nodes. The node with the lower IP address always acts as the initiator. In this case, node A (R1) has the role of an initiator while Node B (R2) has the role of a responder.

IKEv2 communications rely on structured request-response pairs called exchanges as shown in this image.

IKE performs mutual authentication between two endpoints and establishes an IKE Security Association (SA). At first it exchanges two messages: IKE_SA_INIT and the IKE_AUTH to establish an IKE SA/
Subsequently IKE exchanges either CREATE_CHILD_SA or INFORMATIONAL messages.

Benefits of IKEv2

The benefits of IKEv2 include:

Reliability and error-processing: IKEv2 uses sequence numbers and acknowledgments to provide reliability and mandates some error-processing logistics and shared state management (windowing).
Security features: IKEv2 does not process a request until it determines the requester, helping to mitigate DoS attacks.
Dead Peer Detection: IKEv2 provides built-in support for Dead Peer Detection (DPD), which periodically confirms the availability of the peer node. When there is no response from the peer node, the system attempts to establish the session again.

IKEv2 certificate-based authentication

IKEv2 can use Rivest, Shamir, and Adelman (RSA) digital signatures to authenticate peer devices before setting up Security Associations (SAs). RSA signatures employ a PKI-based method of authentication.

Certification authority interoperability

Certification Authority (CA) interoperability permits Cisco NCS 1014 devices and CAs to communicate for obtaining and using digital certificates. The CA manages certificate requests and issues certificates to participating network devices.

Public key cryptography in RSA

Public key cryptography uses key pairs, such as those in the RSA encryption system, that consist of a public key and a private key. These keys act as complements; anything encrypted with one key can be decrypted with the other.

Digital signatures in RSA

igital signatures are created through encrypting data with a user’s private key. The receiver uses the sender's public key to decrypt the message and verify its signature.The ability to decrypt the message with the sender’s public key indicates that the holder of the private key, the sender, must have created the message.

Configuration workflow

This section describes the workflow to configure IKEv2 and OTNSec encryption on NCS 1014.

Prerequisites

Before proceeding with configuring the OTNSec using IKEV2, ensure that you have:

Installed the required k9sec.rpm package
Configured the line card in the muxponder slice mode. See Set up the client and trunk rate in the muxponder mode for the 2.4TX and 2.4TA cards.

You can use two authentication methods:

Pre-shared keys (PSKs)
Certificate-authority (CA)

The configuration workflow using CA-based authentication method involves these sequences:

The configuration workflow using PSK-based authentication method involves these sequences:

Configure IKEv2 certificate-based authentication

Follow these steps to configure IKEv2 certificate-based authentication.

Before you begin

You need to have a CA available to your network before you configure this interoperability feature. The CA must support Cisco Systems PKI protocol, the simple certificate enrollment protocol (SCEP).

Procedure

	1.	Configure router IP domain name of the router if it is not already configured. The IP domain name is required because the router assigns a fully qualified domain name (FQDN) to the keys and certificates used by OTNSec, and the FQDN is based on the hostname and IP domain name you assign to the router. Enter the domain name command to configure the domain name. Commit the changes Example: `RP/0/RP0/CPU0:ios#configure RP/0/RP0/CPU0:ios(config)#domain name cisco.com RP/0/RP0/CPU0:ios(config)#commit RP/0/RP0/CPU0:ios(config)#end`
	2.	Enter the crypto key generate rsa keypair-label command to generate RSA key pair. Example: `RP/0/RP0/CPU0:ios#crypto key generate rsa ioxRsa-key Mon Jun 23 12:21:53.514 UTC The name for the keys will be: ioxRsa-key Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [2048]: yes % A decimal number between 512 and 4096. How many bits in the modulus [2048]: Generating RSA keys ... Done w/ crypto generate keypair [OK]` RP/0/RP0/CPU0:ios#show crypto key mypubkey rsa Mon Jun 23 12:22:17.646 UTC Key label: ioxRsa-key Type : RSA General purpose Size : 2048 Created : 12:21:56 UTC Mon Jun 23 2025 Data : 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00DC2099 D283559A 9B38E1EB C7974230 0CFEBD41 5EB03CC1 35DB40AC 3FFC381A 1C1C5E0C 7FD6FD7F 78370B4A 9E5BA840 2CC85FB9 6DAF5CF9 96BAABA5 BFA77BC5 A41BC8F9 9AECABDB 1BD7407A 7A6B0676 8E9B1623 55BEECAD DFD1118F 2F47E4B5 4EB504D1 7B42E02E 0CF9A2C9 2CCEFCB3 21D39377 02E8789E 1CDD9290 71757DBD E52B5B8E 6E5C5A7F 9A5DF579 3472219A 7D5C1343 F5C07F14 78574C32 101C317B 5FE45888 93776A5F 5187022A 9CE9BC69 C18E38B4 F869605B 4B512BD6 228023D8 680B1F6E E3230BC1 FB9CFC99 8AAC0B37 C4C5679D 8D17DB93 82F6BCBB 9C8E7284 45290D8C AE3F3CFA 31F2F511 5A718445 7E8ADB43 DC6D2E0E 395F9CC6 99A9B9CD 73020301 0001 Key label: the_default Type : RSA General purpose Size : 2048 Created : 09:58:19 UTC Fri Jun 06 2025 Data : 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00A9B615 1F06AE38 7C843346 BEA57A9C 8557F10F 9DCC46F2 8239A386 A470232B FE3B807F 16CA1B3C 0FCE8647 96FEB41B 16ABEF6D 246B0EA1 F5F6C7BE F52934B0 F5E88B2C 1E568833 0E4F0678 9FD302D7 B5BB17BB 0158C0A7 48F5B926 D9BBE3D7 F2B74335 D7278113 5EE0CCBA 04B20E41 B2793DE6 BC425537 D84B2197 B8FBD76B 67C03CE2 20A28E62 732FD4B5 9EE80179 045BD6E9 824EB029 766C5F64 E1D56CD2 C6884842 E6B9ADB7 B089F6E6 B5B4C0B3 244451A7 4B09692E 1563FE4C 9BE290AC AC77F317 D3B7D5C1 DD0C8773 AF30D1C7 A9D78982 F3B52174 3B87DA23 7BA837B1 1F923C7D 1D5BC759 181F5E7B 85339C62 94CD9614 CFA130EA CC9BCAAE 106AA104 9F020301 0001
	3.	Declare a Certification Authority and configure a trustpoint. Enter the crypto ca trustpoint command to authenticate the trust point. Enter the serial-number keyword to specify whether the router serial number should be included in the certificate request. Enter the crl optional keyword to allow the certificates of other peers to be accepted without trying to obtain the appropriate CRL. Enter the subject-name keyword to specify the subject name in the certificate request. Enter the ip-address none keyword to prevent the inclusion of an IP address in the certificate request. Enter the enrollmenturl keyword, to specify the certification authority (CA) location by naming the CA URL. Enter the rsakeypair keyword to specify a RSA key pair for this trustpoint. Note When you perform a Return Merchandise Authorization (RMA) or swap of an RP card, RSA keys are not stored on the chassis or SSD card and will be removed during the process. Hence you must manually generate new RSA keys and re-establish authentication and enrollment with the CA server. Before proceeding with authentication and enrollment, ensure that you clear any certificates existing on the chassis. Note When you delete the trustpoint configuration, you must also clear the certificates associated with the deleted trustpoint using the command `clear crypto ca certificates <trustpoint_name>`. This step is necessary to prevent potential issues in bringing up the IKEv2 session. Example: Near-end node: RP/0/RP0/CPU0:Node-A(config)#crypto ca trustpoint trust_all_R1 RP/0/RP0/CPU0:Node-A(config-trustp)# crl optional RP/0/RP0/CPU0:Node-A(config-trustp)# ip-address none RP/0/RP0/CPU0:Node-A(config-trustp)#subject-name CN=Acadia.cisco.com,OU=SPBU,O=Cisco Systems,L=Bengaluru,ST=KA,C=IN RP/0/RP0/CPU0:Node-A(config-trustp)# serial-number none RP/0/RP0/CPU0:Node-A(config-trustp)# enrollment url http://10.105.57.29:8080/scep RP/0/RP0/CPU0:Node-A(config-trustp)# rsakeypair ioxRsa-key RP/0/RP0/CPU0:Node-A(config-trustp)#commit Far-end Node: RP/0/RP0/CPU0:Node-B(config)#crypto ca trustpoint trust_all_R2 RP/0/RP0/CPU0:Node-B(config-trustp)# crl optional RP/0/RP0/CPU0:Node-B(config-trustp)# ip-address none RP/0/RP0/CPU0:Node-B(config-trustp)# subject-name CN=Acadia.cisco.com,OU=SPBU,O=Cisco Systems,L=Bengaluru,ST=KA,C=IN RP/0/RP0/CPU0:Node-B(config-trustp)# serial-number none RP/0/RP0/CPU0:Node-B(config-trustp)# enrollment url http://10.105.57.29:8080/scep RP/0/RP0/CPU0:Node-B(config-trustp)# rsakeypair ioxRsa-key RP/0/RP0/CPU0:Node-B(config-trustp)#commit
	4.	Enter the crypto ca authenticate ca-name command to authenticate the CA. The router must authenticate the CA by obtaining the self-signed certificate of the CA, which contains the public key of the CA. Because the certificate of the CA is self-signed (the CA signs its own certificate), manually authenticate the public key of the CA by contacting the CA administrator to compare the fingerprint of the CA certificate. Example: `RP/0/RP0/CPU0:ios# crypto ca authenticate trust_all_R1 Mon Jun 23 12:30:17.758 UTC Serial Number : 01 Subject: CN=MICROMDM SCEP CA,OU=SCEP CA,O=scep-ca,C=US Issued By : CN=MICROMDM SCEP CA,OU=SCEP CA,O=scep-ca,C=US Validity Start : 03:39:43 UTC Wed Jan 08 2025 Validity End : 03:39:43 UTC Mon Jan 08 2035 SHA1 Fingerprint: 853C4D0216E35AE2F765FA1F274BBD238080D06F Do you accept this certificate? [yes/no]: yes RP/0/RP0/CPU0:ios#`
	5.	Enter the crypto ca enroll ca-name command to request the device certificates. You must obtain a signed certificate from the CA for each of your router’s RSA key pairs. Example: RP/0/RP0/CPU0:ios#crypto ca enroll trust_all_R1 Mon Jun 23 12:30:32.506 UTC % Start certificate enrollment ... % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. % For security reasons your password will not be saved in the configuration. % Please make a note of it. Password: Re-enter Password: % The subject name in the certificate will include: CN=Acadia.cisco.com,OU=SPBU,O=Cisco Systems,L=Bengaluru,ST=KA,C=IN % The subject name in the certificate will include: 175_ne.cisco.com % Include the router serial number in the subject name? [yes/no]: no % The IP address in the certificate is 0.0.0.0 Fingerprint: 34463337 30304543 44313936 36443031 Note It is crucial to ensure that the certificate is valid and not expired. Verifying its validity in advance is essential, as an expired certificate could cause traffic disruptions, particularly in the presence of RP-related issues.

Configure the parameters for IKEv2 proposal

Follow these steps to configure various parameters for the IKEv2 proposal.

Procedure

	1.	Enter the ikev2 proposal command to configure an IKEv2 proposal and to specify an IKEv2 proposal name.
	2.	Enter the encryption keyword to specify the transform types for encryption.
	3.	Enter the integrity keyword to specify one or more transforms of the integrity algorithm type.
	4.	Enter the prf keyword to specify the Pseudo-Random Function (PRF) algorithm type.
	5.	Enter the dh keyword to specify the Diffie-Hellman group for the IKEv2 proposal.
	6.	Commit the changes. Example: Near-end node: `RP/0/RP0/CPU0:Node-A(config)#ikev2 proposal ikev2_proposal_all_0_3 RP/0/RP0/CPU0:Node-A(config-ikev2-proposal-ikev2_proposal_al)# prf sha-1 RP/0/RP0/CPU0:Node-A(config-ikev2-proposal-ikev2_proposal_al)# dh-group 19 RP/0/RP0/CPU0:Node-A(config-ikev2-proposal-ikev2_proposal_al)# encryption aes-gcm-128 RP/0/RP0/CPU0:Node-A(config-ikev2-proposal-ikev2_proposal_al)#commit Thu Mar 7 19:20:30.916 UTC RP/0/RP0/CPU0:Node-A(config-ikev2-proposal-proposal1)#exit RP/0/RP0/CPU0:Node-A(config)#exit` Far-end node: `RP/0/RP0/CPU0:Node-B(config)#ikev2 proposal ikev2_proposal_all_0_0 RP/0/RP0/CPU0:Node-B(config-ikev2-proposal-ikev2_proposal_al)# prf sha-1 RP/0/RP0/CPU0:Node-B(config-ikev2-proposal-ikev2_proposal_al)# dh-group 19 RP/0/RP0/CPU0:Node-B(config-ikev2-proposal-ikev2_proposal_al)# encryption aes-gcm-128 RP/0/RP0/CPU0:Node-B(config-ikev2-proposal-ikev2_proposal_al)#commit`

Create an IKEv2 policy

Follow these steps to create an IKEv2 policy.

Procedure

	1.	Enter the ikev2 policy command, to specify an IKEv2 policy.
	2.	Enter the proposal keyword to specify the IKEv2 proposal for the IKEv2 policy.
	3.	Enter the match address local keyword to specify a match type and the IP address of the local interface to be associated with this IKEv2 profile.
	4.	Commit the changes. Example: Near-end node: `RP/0/RP0/CPU0:Node-A(config)#ikev2 policy ikev2_policy_all_0_3 RP/0/RP0/CPU0:Node-A(config-ikev2-policy-ikev2_policy_all_0_)# match address local 10.1.1.1 RP/0/RP0/CPU0:Node-A(config-ikev2-policy-ikev2_policy_all_0_)# proposal ikev2_proposal_all_0_3 RP/0/RP0/CPU0:Node-A(config-ikev2-policy-ikev2_policy_all_0_)#commit` Far-end node: `RP/0/RP0/CPU0:Node-B(config)#ikev2 policy ikev2_policy_0_0 RP/0/RP0/CPU0:Node-B(config-ikev2-policy-ikev2_policy_0_0)# match address local 10.1.1.2 RP/0/RP0/CPU0:Node-B(config-ikev2-policy-ikev2_policy_0_0)# proposal ikev2_proposal_all_0_0 RP/0/RP0/CPU0:Node-B(config-ikev2-policy-ikev2_policy_0_0)#commit`

Create a keyring with pre shared keys

Follow these steps to create a keyring with the postquantum preshared keys.

Procedure

	1.	Enter the keyring command to configure a keyring profile.
	2.	Enter the peer name keyword to specify the name of the peer interface.
	3.	Enter the pre-shared-key keyword to configure the preshared keys for authentication.
	4.	Enter the address ip keyword to specify the IP address of the peer interface along with the prefix. Example: Near-end node: RP/0/RP0/CPU0:ios#configure Mon Dec 22 06:27:58.189 UTC RP/0/RP0/CPU0:ios(config)#keyring KR1 RP/0/RP0/CPU0:ios(config-keyring-KR1)#peer Node-B RP/0/RP0/CPU0:ios(config-keyring-KR1-peer-Node-B)#address 10.1.1.1 255.255.255.0 RP/0/RP0/CPU0:ios(config-keyring-KR1-peer-Node-B)#pre-shared-key password 0716127F18042E1F03035D3A533C252B093A3C1A0A15425759476C6B750426214104540A7B605B5A63014C230956022E2116236A2222260A604B5A362113443919 RP/0/RP0/CPU0:ios(config-keyring-KR1-peer-Node-B)#commit Mon Dec 22 06:32:11.224 UTC RP/0/RP0/CPU0:ios(config-keyring-KR1-peer-Node-B)#exit RP/0/RP0/CPU0:ios(config-keyring-KR1)#exit RP/0/RP0/CPU0:ios(config)#exit RP/0/RP0/CPU0:ios#show keyring KR1 Mon Dec 22 06:32:36.860 UTC Keyring Name : KR1 =============================================================================== Total Peers : 1 ------------------------------------------------------------------------------- Peer Name : Node-B IP Address : 10.1.1.1 Subnet Mask : 255.255.255.0 Identity : Not Configured Local PSK : Configured Remote PSK : Configured PPK Mode : Not Configured PPK Mandatory : Not Configured Local PSK Hash (Algo:SHA256, Format:base64) : nT5Fw0sYJTafyOxuXUmrxlM4eOT55kD7RiWlkjJwUHU= Remote PSK Hash (Algo:SHA256, Format:base64) : nT5Fw0sYJTafyOxuXUmrxlM4eOT55kD7RiWlkjJwUHU= Manual PPK Hash (Algo:SHA256, Format:base64) : Not Configured Far-end node: RP/0/RP0/CPU0:ios#configure Mon Dec 22 06:27:58.189 UTC RP/0/RP0/CPU0:ios(config)#keyring KR1 RP/0/RP0/CPU0:ios(config-keyring-KR1)#peer Node-A RP/0/RP0/CPU0:ios(config-keyring-KR1-peer-Node-A)#address 10.1.1.2 255.255.255.0 RP/0/RP0/CPU0:ios(config-keyring-KR1-peer-Node-A)#pre-shared-key password 0716127F18042E1F03035D3A533C252B093A3C1A0A15425759476C6B750426214104540A7B605B5A63014C230956022E2116236A2222260A604B5A362113443919 RP/0/RP0/CPU0:ios(config-keyring-KR1-peer-Node-A)#commit Mon Dec 22 06:32:11.224 UTC RP/0/RP0/CPU0:ios(config-keyring-KR1-peer-Node-A)#exit RP/0/RP0/CPU0:ios(config-keyring-KR1)#exit RP/0/RP0/CPU0:ios(config)#exit RP/0/RP0/CPU0:ios#show keyring KR1 Mon Dec 22 06:32:36.860 UTC Keyring Name : KR1 =============================================================================== Total Peers : 1 ------------------------------------------------------------------------------- Peer Name : Node-A IP Address : 10.1.1.2 Subnet Mask : 255.255.255.0 Identity : Not Configured Local PSK : Configured Remote PSK : Configured PPK Mode : Not Configured PPK Mandatory : Not Configured Local PSK Hash (Algo:SHA256, Format:base64) : nT5Fw0sYJTafyOxuXUmrxlM4eOT55kD7RiWlkjJwUHU= Remote PSK Hash (Algo:SHA256, Format:base64) : nT5Fw0sYJTafyOxuXUmrxlM4eOT55kD7RiWlkjJwUHU= Manual PPK Hash (Algo:SHA256, Format:base64) : Not Configured

Create an IKEv2 profile that will be attached to the OTNSec profile (PSK authentication method)

Follow these steps to create an IKEv2 profile that will be attached to the OTNSec profile.

Procedure

	1.	Enter the ikev2 profile command to specify the name of an IKEv2 profile.
	2.	Enter the lifetime keyword to configure the lifetime of IKEv2 security association (SA).
	3.	Enter the keyring <keyring name>keyword to specify the details of the IKEv2 keyring that consists of the preshared keys.
	4.	Enter the match remote address keyword to specify the IP address of the remote node.
	5.	Commit the changes. Example: Near-end node: `RP/0/1/CPU0:Node-A(config)#ikev2 profile profile1 RP/0/1/CPU0:Node-A(config-ikev2-profile-profile1)#keyring KR1 RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile1)#lifetime 86400 RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile1)#match address 10.1.1.1 255.255.255.0 RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile1)#commit` Far-end node: `RP/0/1/CPU0:Node-B(config)#ikev2 profile profile1 RP/0/1/CPU0:Node-B(config-ikev2-profile-profile1)#keyring dynamic RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile1)#lifetime 86400 RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile1)#match address 10.1.1.2 255.255.255.0 RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile1)#commit`

Create an IKEv2 profile that will be attached to the OTNSec profile (CA authentication method)

Follow these steps to create an IKEv2 profile that will be attached to the OTNSec profile.

Procedure

	1.	Enter the ikev2 profile command to specify the name of an IKEv2 profile.
	2.	Enter the lifetime keyword to configure the lifetime of IKEv2 security association (SA).
	3.	Enter the match identity remote address keyword to specify the IP address of the remote node.
	4.	Enter the pki trustpoint keyword to specify public key infrastructure name in the OTNSec profile.
	5.	Enter the authentication keyword to specify that the OTNSec Peer authentication method to be followed.
	6.	Enter the local and remote keywords to specify that the authentication occurs on the source router and the peer router.
	7.	Enter the rsa-signature keyword to specify that the authentication is X.509v3 certificate based on rsa signature.
	8.	Commit the changes. Example: Near-end node: RP/0/RP0/CPU0:Node-A(config)#ikev2 profile profile_all_0_3 RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile_all_0_3)# match fvrf vrf2 RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile_all_0_3)# match identity remote address 10.1.1.2 255.255.255.0 RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile_all_0_3)# pki trustpoint trust_all_R1 RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile_all_0_3)# lifetime 86400 RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile_all_0_3)# authentication local rsa-signature RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile_all_0_3)# authentication remote rsa-signature RP/0/RP0/CPU0:Node-A(config-ikev2-profile-profile_all_0_3)#commit Far-end node: RP/0/RP0/CPU0:Node-B(config)#ikev2 profile profile_all_0_0 RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile_all_0_0)#match fvrf vrf2 RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile_all_0_0)#match identity remote address 10.1.1.1 255.255.255.0 RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile_all_0_0)# pki trustpoint trust_all_R2 RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile_all_0_0)# lifetime 86400 RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile_all_0_0)# authentication local rsa-signature RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile_all_0_0)# authentication remote rsa-signature RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile_all_0_0)# RP/0/RP0/CPU0:Node-B(config-ikev2-profile-profile_all_0_0)#commit

Configure the OTNSec policy

Follow these steps to configure the OTNSec policy in near-end and far-end nodes.

Procedure

	1.	Enter the otnsec policy command to configure an OTNSec policy.
	2.	Enter the cipher-suite keyword to specify the encryption algorithm for an OTNSec policy.
	3.	Enter the security-policy must-secure keyword to specify the security for OTNSec policy.
	4.	Enter the sak-rekey-interval keyword to configure the key lifetime for the child security associations (SA). Note The interval range, in seconds, is from 30 to 1209600. If SAK rekey timer is not configured, the system sets it at a default value of 898393.
	5.	Commit the changes. Example: Near-end node: `RP/0/RP0/CPU0:Node-A(config)#otnsec policy otnsec_policy_all_0_3 RP/0/RP0/CPU0:Node-A(config-otnsec-policy)# cipher-suite AES-GCM-256 RP/0/RP0/CPU0:Node-A(config-otnsec-policy)# security-policy must-secure RP/0/RP0/CPU0:Node-A(config-otnsec-policy)# sak-rekey-interval 28800 RP/0/RP0/CPU0:Node-A(config-otnsec-policy)#commit` Far-end node: `RP/0/RP0/CPU0:Node-B#configur Tue Apr 29 13:48:20.494 UTC RP/0/RP0/CPU0:Node-B(config)#otnsec policy otnsec_policy_all_0_0 RP/0/RP0/CPU0:Node-B(config-otnsec-policy)# cipher-suite AES-GCM-256 RP/0/RP0/CPU0:Node-B(config-otnsec-policy)# security-policy must-secure RP/0/RP0/CPU0:Node-B(config-otnsec-policy)# sak-rekey-interval 28800 RP/0/RP0/CPU0:Node-B(config-otnsec-policy)#commit`

Configure the GCC0 interface

Follow these steps to configure GCC0 interface on the near-end and far-end nodes.

Procedure

	1.	Enter the command CoherentDSP R/S/I/P in the configuration mode, to configure the odu-flex controller.
	2.	Enter the gcc0 keyword to enable the GCC0 interface.
	3.	Commit the changes and exit.
	4.	Enter the interface gcc0 R/S/I/P command, to configure the GCC0 interface.
	5.	Enter the ipv4 address keyword to specify the encryption algorithm for an OTNSec policy.
	6.	Commit the changes. Example: Near-end node: `RP/0/RP0/CPU0:Node-A(config)#controller CoherentDSP0/3/0/7 RP/0/RP0/CPU0:Node-A(config-CoDSP)# gcc0 RP/0/RP0/CPU0:Node-A(config-CoDSP)#commit RP/0/RP0/CPU0:Node-A(config)#interface GCC00/3/0/7 RP/0/RP0/CPU0:Node-A(config-if)# ipv4 address 10.1.1.1 255.255.255.0 RP/0/RP0/CPU0:Node-A(config-if)#commit` Far-end node: `RP/0/RP0/CPU0:Node-B(config)#controller CoherentDSP0/0/0/0 RP/0/RP0/CPU0:Node-B(config-CoDSP)# gcc0 RP/0/RP0/CPU0:Node-B(config-CoDSP)#commit RP/0/RP0/CPU0:Node-B(config)#interface GCC00/0/0/0 RP/0/RP0/CPU0:Node-B(config-if)# ipv4 address 10.1.1.2 255.255.255.0 RP/0/RP0/CPU0:Node-B(config-if)#commit`

Configure the OTNSec on ODU flex controller

Follow these steps to OTNSec on the ODU flex controller on the near-end and far-end nodes.

Procedure

	1.	Enter the command controller odu-flex R/S/I/P to configure the ODU flex controller.
	2.	Enter the otnsec keyword to configure OTNSec.
	3.	Enter the source ipv4 and destination ip4 keywords to specify the ip addresses of the local and remote nodes.
	4.	Enter the session id keyword to configure the session id for the OTNSec. The session ID ranges 1–65535.
	5.	Enter the policy keyword to specify the OTNSec policy that was configured.
	6.	Enter the IKEv2 keyword to specify the ikev2 profile.
	7.	Commit the changes. Example: Near-end node: `RP/0/RP0/CPU0:Node-A(config)#controller ODU-FLEX0/3/0/7/4 RP/0/RP0/CPU0:Node-A(config-oduflex)# otnsec RP/0/RP0/CPU0:Node-A(config-otnsec)# policy otnsec_policy_all_0_3 RP/0/RP0/CPU0:Node-A(config-otnsec)# ikev2 profile_all_0_3 RP/0/RP0/CPU0:Node-A(config-otnsec)# source ipv4 10.1.1.1 RP/0/RP0/CPU0:Node-A(config-otnsec)# destination ipv4 10.1.1.2 RP/0/RP0/CPU0:Node-A(config-otnsec)# session-id 60 RP/0/RP0/CPU0:Node-A(config-otnsec)#commit` Far-end node: `RP/0/RP0/CPU0:Node-B(config)#controller ODU-FLEX0/0/0/0/1 RP/0/RP0/CPU0:Node-B(config-oduflex)# otnsec RP/0/RP0/CPU0:Node-B(config-otnsec)# policy otnsec_policy_all_0_0 RP/0/RP0/CPU0:Node-B(config-otnsec)# ikev2 profile_all_0_0 RP/0/RP0/CPU0:Node-B(config-otnsec)# source ipv4 10.1.1.2 RP/0/RP0/CPU0:Node-B(config-otnsec)# destination ipv4 10.1.1.1 RP/0/RP0/CPU0:Node-B(config-otnsec)# session-id 60 RP/0/RP0/CPU0:Node-B(config-otnsec)#commit`

Verify IKEv2 and OTNSec configurations

Follow these steps to view the various configurations done for IKEv2 and OTNSec.

Procedure

	1.	Enter the show ikev2 session detail command to view the details of IKEv2 sessions configured. Example: Near-end node: RP/0/RP0/CPU0:Node-A#show ikev2 session detail Tue Apr 29 13:49:08.907 UTC Session ID : 9 =============================================================================== Status : UP-ACTIVE IKE Count : 1 Child Count : 1 IKE SA ID : 24219 ------------------------------------------------------------------------------- Local : 10.1.1.1/500 Remote : 10.1.1.2/500 Status(Description) : READY (Negotiation done) Role : Initiator Fvrf : Default Encryption/Keysize : AES-GCM/128 PRF/Hash/DH Group : SHA1/None/19 Authentication(Sign/Verify) : RSA/RSA Life/Active Time(sec) : 86400/732 Session ID : 9 Local SPI : B8F3F6B99303FAEC Remote SPI : 88942BBDE8EC692C Local ID : 10.1.1.1 Remote ID : 10.1.1.2 Quantum resistance : Disabled Child SA ------------------------------------------------------------------------------- Local Selector : 10.1.1.1/60 - 10.1.1.1/60 Remote Selector : 10.1.1.2/60 - 10.1.1.2/60 ESP SPI IN/OUT : 0x3c01 / 0x3c01 Encryption : AES-GCM Keysize : 256 ESP HMAC : None Far-end node: RP/0/RP0/CPU0:Node-B#show ikev2 session detail Tue Apr 29 13:52:07.885 UTC Session ID : 9 =============================================================================== Status : UP-ACTIVE IKE Count : 1 Child Count : 1 IKE SA ID : 18484 ------------------------------------------------------------------------------- Local : 10.1.1.2/500 Remote : 10.1.1.1/500 Status(Description) : READY (Negotiation done) Role : Responder Fvrf : Default Encryption/Keysize : AES-GCM/128 PRF/Hash/DH Group : SHA1/None/19 Authentication(Sign/Verify) : RSA/RSA Life/Active Time(sec) : 86400/901 Session ID : 9 Local SPI : 88942BBDE8EC692C Remote SPI : B8F3F6B99303FAEC Local ID : 10.1.1.2 Remote ID : 10.1.1.1 Quantum resistance : Disabled Child SA ------------------------------------------------------------------------------- Local Selector : 10.1.1.2/60 - 10.1.1.2/60 Remote Selector : 10.1.1.1/60 - 10.1.1.1/60 ESP SPI IN/OUT : 0x3c01 / 0x3c01 Encryption : AES-GCM Keysize : 256 ESP HMAC : None
	2.	Enter the show ikev2 proposal command to view the details of ikev2 proposal. Example: Near-end node: RP/0/RP0/CPU0:Node-A#show ikev2 proposal Tue Apr 29 13:49:27.918 UTC Proposal Name : default ===================================================================================== Status : Complete ------------------------------------------------------------------------------------- Total Number of Enc. Alg. : 1 Encr. Alg. : CBC-AES-256 ------------------------------------------------------------------------------------- Total Number of Hash. Alg. : 2 Hash. Alg. : SHA 512 Hash. Alg. : SHA 384 ------------------------------------------------------------------------------------- Total Number of PRF. Alg. : 2 PRF. Alg. : SHA 512 PRF. Alg. : SHA 384 ------------------------------------------------------------------------------------- Total Number of DH Group : 3 DH Group : Group 19 DH Group : Group 20 DH Group : Group 21 Proposal Name : ikev2_proposal_all_0_3 ===================================================================================== Status : Complete ------------------------------------------------------------------------------------- Total Number of Enc. Alg. : 1 Encr. Alg. : GCM-AES-128 ------------------------------------------------------------------------------------- Total Number of Hash. Alg. : 0 ------------------------------------------------------------------------------------- Total Number of PRF. Alg. : 1 PRF. Alg. : SHA 1 ------------------------------------------------------------------------------------- Total Number of DH Group : 1 DH Group : Group 19 Far-end node: RP/0/RP0/CPU0:Node-B#show ikev2 proposal Tue Apr 29 13:52:34.596 UTC Proposal Name : default ===================================================================================== Status : Complete ------------------------------------------------------------------------------------- Total Number of Enc. Alg. : 1 Encr. Alg. : CBC-AES-256 ------------------------------------------------------------------------------------- Total Number of Hash. Alg. : 2 Hash. Alg. : SHA 512 Hash. Alg. : SHA 384 ------------------------------------------------------------------------------------- Total Number of PRF. Alg. : 2 PRF. Alg. : SHA 512 PRF. Alg. : SHA 384 ------------------------------------------------------------------------------------- Total Number of DH Group : 3 DH Group : Group 19 DH Group : Group 20 DH Group : Group 21 Proposal Name : ikev2_proposal_all_0_0 ===================================================================================== Status : Complete ------------------------------------------------------------------------------------- Total Number of Enc. Alg. : 1 Encr. Alg. : GCM-AES-128 ------------------------------------------------------------------------------------- Total Number of Hash. Alg. : 0 ------------------------------------------------------------------------------------- Total Number of PRF. Alg. : 1 PRF. Alg. : SHA 1 ------------------------------------------------------------------------------------- Total Number of DH Group : 1 DH Group : Group 19
	3.	Enter the show ikev2 policy to view the details of ikev2 policy. Example: Near-end node: RP/0/RP0/CPU0:Node-A#show ikev2 policy Tue Apr 29 13:49:47.844 UTC Policy Name : default =============================================================================== Total number of match local addr : 1 Match address local : Any ------------------------------------------------------------------------------- Total number of proposal attached : 1 Proposal Name : default ------------------------------------------------------------------------------- Total number of fvrf attached : 1 Fvrf Name : Any Policy Name : ikev2_policy_all_0_3 =============================================================================== Total number of match local addr : 1 Match address local : 10.1.1.1 ------------------------------------------------------------------------------- Total number of proposal attached : 1 Proposal Name : ikev2_proposal_all_0_3 ------------------------------------------------------------------------------- Total number of fvrf attached : 1 Fvrf Name : Default Far-end node: RP/0/RP0/CPU0:Node-B#show ikev2 policy Tue Apr 29 13:53:02.395 UTC Policy Name : default =============================================================================== Total number of match local addr : 1 Match address local : Any ------------------------------------------------------------------------------- Total number of proposal attached : 1 Proposal Name : default ------------------------------------------------------------------------------- Total number of fvrf attached : 1 Fvrf Name : Any Policy Name : ikev2_policy_0_0 =============================================================================== Total number of match local addr : 1 Match address local : 10.1.1.2 ------------------------------------------------------------------------------- Total number of proposal attached : 1 Proposal Name : ikev2_proposal_all_0_0 ------------------------------------------------------------------------------- Total number of fvrf attached : 1 Fvrf Name : Default
	4.	Enter the show ip interface brief command to view the status of the GCC interfaces. Example: Near-end node: `RP/0/RP0/CPU0:Node-A#show ipv4 interface brief Tue Apr 29 13:50:16.508 UTC Interface IP-Address Status Protocol Vrf-Name GCC00/3/0/7 10.1.1.1 Up Up default MgmtEth0/RP0/CPU0/0 10.105.57.73 Up Up default PTP0/RP0/CPU0/0 unassigned Shutdown Down default MgmtEth0/RP0/CPU0/1 unassigned Shutdown Down default PTP0/RP0/CPU0/1 unassigned Shutdown Down default` Far-end node: `RP/0/RP0/CPU0:Node-B#show ipv4 in brief Tue Apr 29 13:53:20.814 UTC Interface IP-Address Status Protocol Vrf-Name GCC00/0/0/0 10.1.1.2 Up Up default MgmtEth0/RP0/CPU0/0 10.127.60.79 Up Up default PTP0/RP0/CPU0/0 unassigned Shutdown Down default MgmtEth0/RP0/CPU0/1 unassigned Shutdown Down default PTP0/RP0/CPU0/1 unassigned Shutdown Down default`
	5.	Enter the command show controllers odu-flex R/S/I/P otnsec to view the OTNSec configuration on the odu-flex controller. Example: Near-end node: RP/0/RP0/CPU0:Node-A#show controllers odu-flEX 0/3/0/7/4 otnsec Tue Apr 29 13:50:50.360 UTC Controller Name : ODU-FLEX 0/3/0/7/4 Source ip : 10.1.1.1 Destination ip : 10.1.1.2 Session id : 60 IKEv2 profile : profile_all_0_3 Session State : SECURED Otnsec policy name : otnsec_policy_all_0_3 cipher-suite : AES-GCM-256 security-policy : Must Secure sak-rekey-interval : 28800 Time to rekey : 28117 Time to Expire : 1283445 Programming Status : Inbound SA(Rx) : AN[1] : SPI : 0x3c01 Outbound SA(Tx) : AN[1] : SPI : 0x3c01 Far-end node: RP/0/RP0/CPU0:Node-B#show controllers odu-flEX 0/0/0/0/1 otnsec Tue Apr 29 13:53:48.933 UTC Controller Name : ODU-FLEX 0/0/0/0/1 Source ip : 10.1.1.2 Destination ip : 10.1.1.1 Session id : 60 IKEv2 profile : profile_all_0_0 Session State : SECURED Otnsec policy name : otnsec_policy_all_0_0 cipher-suite : AES-GCM-256 security-policy : Must Secure sak-rekey-interval : 28800 Time to rekey : 0 Time to Expire : 1283281 Programming Status : Inbound SA(Rx) : AN[1] : SPI : 0x3c01 Outbound SA(Tx) : AN[1] : SPI : 0x3c01
	6.	Enter the command show alarms brief system active to view the active alarms. Example: `RP/0/RP0/CPU0:ios# show alarms brief system active ----------------------------------------------------------------------- Location Severity Group Set time Description ---------------- 0/1 NotAlarmed Software 06/05/2025 00:04:18 UTC ODU-FLEX0/1/0/0/1 - OTNSec Locally Secured`

Keyring

IKEv2 profile

IKEv2 proposal

IKEv2 policy

How IKEv2 works

Benefits of IKEv2

IKEv2 certificate-based authentication

Certification authority interoperability

Public key cryptography in RSA

Digital signatures in RSA

Configuration workflow

Prerequisites

Configure IKEv2 certificate-based authentication

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Configure the parameters for IKEv2 proposal

Procedure

Example:

Create an IKEv2 policy

Procedure

Example:

Create a keyring with pre shared keys

Procedure

Example:

Create an IKEv2 profile that will be attached to the OTNSec profile (PSK authentication method)

Procedure

Example:

Create an IKEv2 profile that will be attached to the OTNSec profile (CA authentication method)

Procedure

Example:

Configure the OTNSec policy

Procedure

Example:

Configure the GCC0 interface

Procedure

Example:

Configure the OTNSec on ODU flex controller

Procedure

Example:

Verify IKEv2 and OTNSec configurations

Procedure

Example:

Example:

Example:

Example:

Example:

Example: