IKEv2 Configuration

The CSR configuration to create a GRE over IPsec tunnel is similar to the CloudEOS and vEOS Router setup using ikev2 version.

By default, the CloudEOS and vEOS Router is configured to run in IKEv2 version. Make sure the version is not set to 1 under the ike policy. The configuration steps for CSR IKEv2 are a bit different to that of IKEv1.

Complete the following steps to configure the CSR.

  1. Enter the configuration terminal mode to configure IPsec.
    switch#configure terminal
  2. Create a pre-shared key for CSR and the CloudEOS and vEOS Router to authenticate each other. Create a keyring to hold the keys. Specify the peer CloudEOS and vEOS Router under which the keys and matching IP address of peer are configured.
    switch(config)#crypto keyring vrouter-ikev2-keyring
    switch(conf-keyring)#pre-shared-key address key arista
  3. Create an IKEv2 proposal to specify the encryption, integrity, and group. In the example, it specifies AES256, SHA1, and DH group 14.
    switch(config)#crypto ikev2 proposal vrouter-ikev2-proposal
    switch(config-ikev2-proposal)#encryption aes-cbc-256
    switch(config-ikev2-proposal)#integrity sha1
    switch(config-ikev2-proposal)#group 14
  4. Create an IKEv2 policy and attach the proposal created in the previous step.
    switch(config)#crypto ikev2 policy vrouter-ikev2-policy 
    switch(config-ikev2-policy)#match fvrf any
    switch(config-ikev2-policy)#proposal vrouter-ikev2-proposal
  5. Create an IKEv2 profile and specify the match identity for the remote peer's address, authentication pre-share, and the keyring that was previously created.
    switch(config)#crypto ikev2 profile vrouter-ikev2-profile
    switch(config-ikev2-profile)#match fvrf any
    switch(config-ikev2-profile)#match identity remote address
    switch(config-ikev2-profile)#authentication remote pre-share key arista
    switch(config-ikev2-profile)#authentication local pre-share key arista
  6. Create the IPsec transform-set configuration settings. This step is similar to the step in IKEv1 configuration. The transform-set defines the encryption and hash algorithm for the child/IPsec SA. The example creates a transform-set with AES cipher for the ESP encryption and SHA1 for the authentication. The mode for the IPsec is set to the transport mode.
    switch(config)#crypto ipsec transform-set vrouter-tset esp-aes 256 esp-sha-hmac
    switch(cfg-crypto-trans)#mode transport
  7. Create the IPsec profile similar to IKEv1. This profile includes the transform-set, SA idle time, lifetime, and replay windows that are used to create the child SA and specifies the IKEv2 profile to use.
    switch(config)#crypto ipsec profile vrouter-ikev2-ipsec-profile
    switch(ipsec-profile)#set security-association idle-time 3600
    switch(ipsec-profile)#set security-association dummy seconds 3600
    switch(ipsec-profile)#set transform-set vrouter-tset
    switch(ipsec-profile)#set ikev2-profile vrouter-ikev2-profile
  8. Configure the interface to use as the underlying interface for the tunnel. To be able to route packets, the tunnel is given an L3 IP address.
    switch(config)#interface GigabitEthernet2
    switch(config-if)#ip address
    switch(config-if)#negotiation auto
  9. Apply the IPsec profile to a tunnel interface. The example creates a tunnel interface (Tunnel0) and configures the tunnel interface to use IPsec.
    switch(config)#interface Tunnel0
    switch(config-if)#ip address
    switch(config-if)#tunnel path-mtu-discovery
    switch(config-if)#tunnel source
    switch(config-if)#tunnel destination
    switch(config-if)#tunnel protection ipsec profile vrouter-ikev2-ipsec-profile