The following was thrown together within GNS3 to test the functionality of IKEv2 to be used in an IPSEC/GRE deployment in conjunction with two VRF’s over a single link.
It worked with IKEv1 and unfortunatly the actual client requirement was to use IKEv2.
The GNS3 deployment was setup with R1, R2 operating as the endpoints and R3 is providing an interconnect with a minor ACL only allowing IPSEC in/out of both interfaces.
R1:
! ! Last configuration change at 21:21:32 UTC Wed Dec 9 2015 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec ! hostname R1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model no ip icmp rate-limit unreachable ! ! ! ! ! ! no ip domain lookup ip cef ipv6 multicast rpf use-bgp no ipv6 cef ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! crypto ikev2 proposal IKEV2-PROPOSAL encryption aes-cbc-256 integrity sha512 group 24 ! ! crypto ikev2 keyring IKEV2-KEYRING peer IKEV2-PEER address 192.168.100.1 identity address 192.168.200.1 pre-shared-key IKEV2-PASSWORD ! ! ! crypto ikev2 profile IKEV2-PROFILE match identity remote address 192.168.100.1 255.255.255.255 identity local address 192.168.200.1 authentication remote pre-share authentication local pre-share keyring local IKEV2-KEYRING ! ! ! ip tcp synwait-time 5 ! ! ! crypto ipsec transform-set IKEV2-TRANSFORM esp-aes 256 esp-sha512-hmac mode tunnel ! crypto ipsec profile IKEV2-IPSEC-PROFILE set security-association lifetime 3600 seconds set security-association replay window-size 1024 set transform-set IKEV2-TRANSFORM set ikev2-profile IKEV2-PROFILE ! ! ! ! ! ! ! interface Tunnel1 ip address 10.10.10.1 255.255.255.0 tunnel source 192.168.200.1 tunnel destination 192.168.100.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IKEV2-IPSEC-PROFILE ! interface FastEthernet0/0 ip address 192.168.200.1 255.255.255.0 duplex full ! interface FastEthernet1/0 no ip address shutdown speed auto duplex auto ! interface FastEthernet1/1 no ip address shutdown speed auto duplex auto ! router ospf 1 router-id 10.10.10.1 redistribute static subnets network 10.10.10.1 0.0.0.0 area 0.0.0.0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.200.2 ip route 100.100.100.0 255.255.255.0 Null0 ip route 200.200.200.0 255.255.255.0 Null0 ! ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! ! end
R2: ! ! Last configuration change at 21:24:36 UTC Wed Dec 9 2015 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec ! hostname R2 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model no ip icmp rate-limit unreachable ! ! ! ! ! ! no ip domain lookup ip cef ipv6 multicast rpf use-bgp no ipv6 cef ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! crypto ikev2 proposal IKEV2-PROPOSAL encryption aes-cbc-256 integrity sha512 group 24 ! ! crypto ikev2 keyring IKEV2-KEYRING peer IKEV2-PEER address 192.168.200.1 identity address 192.168.100.1 pre-shared-key IKEV2-PASSWORD ! ! ! crypto ikev2 profile IKEV2-PROFILE match identity remote address 192.168.200.1 255.255.255.255 identity local address 192.168.100.1 authentication remote pre-share authentication local pre-share keyring local IKEV2-KEYRING ! ! ! ip tcp synwait-time 5 ! ! ! crypto ipsec transform-set IKEV2-TRANSFORM esp-aes 256 esp-sha512-hmac mode tunnel ! crypto ipsec profile IKEV2-IPSEC-PROFILE set security-association lifetime 3600 seconds set security-association replay window-size 1024 set transform-set IKEV2-TRANSFORM set ikev2-profile IKEV2-PROFILE ! ! ! ! ! ! ! interface Tunnel1 ip address 10.10.10.2 255.255.255.0 tunnel source 192.168.100.1 tunnel destination 192.168.200.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IKEV2-IPSEC-PROFILE ! interface FastEthernet0/0 ip address 192.168.100.1 255.255.255.0 duplex full ! interface FastEthernet1/0 no ip address shutdown speed auto duplex auto ! interface FastEthernet1/1 no ip address shutdown speed auto duplex auto ! router ospf 1 router-id 10.10.10.2 network 10.10.10.2 0.0.0.0 area 0.0.0.0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.100.2 ! ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! ! end R3: INTERLINK ONLY ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model no ip icmp rate-limit unreachable ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip tcp synwait-time 5 ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.200.2 255.255.255.0 ip access-group 101 in ip access-group 101 out duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.100.2 255.255.255.0 ip access-group 101 in ip access-group 101 out duplex auto speed auto ! ! no ip http server no ip http secure-server ! ! access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit ahp any any no cdp log mismatch duplex ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! ! end