IKEv2 Configuration

The CSR configuration to create a GRE over IPsec tunnel is similar to the CloudEOS and vEOS Router setup using ikev2 version.

By default, the CloudEOS and vEOS Router is configured to run in IKEv2 version. Make sure the version is not set to 1 under the ike policy. The configuration steps for CSR IKEv2 are a bit different to that of IKEv1.

Complete the following steps to configure the CSR.

  1. Enter the configuration terminal mode to configure IPsec. 
    switch#configure terminal
  2. Create a pre-shared key for CSR and the CloudEOS and vEOS Router to authenticate each other. Create a keyring to hold the keys. Specify the peer CloudEOS and vEOS Router under which the keys and matching IP address of peer are configured. 
    
switch(config)#crypto keyring vrouter-ikev2-keyring
switch(conf-keyring)#pre-shared-key address 1.0.0.2 key arista
  3. Create an IKEv2 proposal to specify the encryption, integrity, and group. In the example, it specifies AES256, SHA1, and DH group 14. 
    
switch(config)#crypto ikev2 proposal vrouter-ikev2-proposal
switch(config-ikev2-proposal)#encryption aes-cbc-256
switch(config-ikev2-proposal)#integrity sha1
switch(config-ikev2-proposal)#group 14
switch(config-ikev2-proposal)#exit
  4. Create an IKEv2 policy and attach the proposal created in the previous step. 
    
switch(config)#crypto ikev2 policy vrouter-ikev2-policy 
switch(config-ikev2-policy)#match fvrf any
switch(config-ikev2-policy)#proposal vrouter-ikev2-proposal
switch(config-ikev2-policy)#exit
  5. Create an IKEv2 profile and specify the match identity for the remote peer's address, authentication pre-share, and the keyring that was previously created. 
    
switch(config)#crypto ikev2 profile vrouter-ikev2-profile
switch(config-ikev2-profile)#match fvrf any
switch(config-ikev2-profile)#match identity remote address 1.0.0.1 255.255.255.255
switch(config-ikev2-profile)#authentication remote pre-share key arista
switch(config-ikev2-profile)#authentication local pre-share key arista
switch(config-ikev2-policy)#exit
  6. Create the IPsec transform-set configuration settings. This step is similar to the step in IKEv1 configuration. The transform-set defines the encryption and hash algorithm for the child/IPsec SA. The example creates a transform-set with AES cipher for the ESP encryption and SHA1 for the authentication. The mode for the IPsec is set to the transport mode. 
    
switch(config)#crypto ipsec transform-set vrouter-tset esp-aes 256 esp-sha-hmac
switch(cfg-crypto-trans)#mode transport
  7. Create the IPsec profile similar to IKEv1. This profile includes the transform-set, SA idle time, lifetime, and replay windows that are used to create the child SA and specifies the IKEv2 profile to use. 
    
switch(config)#crypto ipsec profile vrouter-ikev2-ipsec-profile
switch(ipsec-profile)#set security-association idle-time 3600
switch(ipsec-profile)#set security-association dummy seconds 3600
switch(ipsec-profile)#set transform-set vrouter-tset
switch(ipsec-profile)#set ikev2-profile vrouter-ikev2-profile
switch(ipsec-profile)#exit
  8. Configure the interface to use as the underlying interface for the tunnel. To be able to route packets, the tunnel is given an L3 IP address. 
    
switch(config)#interface GigabitEthernet2
switch(config-if)#ip address 1.0.0.1 255.255.255.0
switch(config-if)#negotiation auto
  9. Apply the IPsec profile to a tunnel interface. The example creates a tunnel interface (Tunnel0) and configures the tunnel interface to use IPsec. 
    
switch(config-if)#exit
switch(config)#interface Tunnel0
switch(config-if)#ip address 1.0.3.1 255.255.255.0
switch(config-if)#tunnel path-mtu-discovery
switch(config-if)#tunnel source 1.0.0.1
switch(config-if)#tunnel destination 1.0.0.2
switch(config-if)#tunnel protection ipsec profile vrouter-ikev2-ipsec-profile
switch(config-if)#exit