IKEv2 vs IKEv1 Site to Site VPN Configuration
Below is a IKEv2 VPN config, this is from an IOU router with a 172.16.1.0/24 subnet behind it, the purpose was to talk to 192.168.1.0/24 behind a FTD, which was successful with the below configuration;
The config is a little confusing, but essentially what happens is this;
the crypto map is defined under the interface
This crypto map defines the keyring used, as well as the profile and transform set to use.
The keyring defines the preshared key (or other)
The IKEv2 profile defines the authentication method for both ends, what key to use locally and matches the identity of the remote end.
the IPSEC transform set defines the IPSEC parameters for the connection, including authentication, encryption and tunnel modes.
Below is a IKEv1 VPN Config, it does the same as the IKEv2 config but with IKEv1 or ISAKMP
crypto ikev2 proposal my-prop
encryption des
integrity sha256
group 16
!
crypto ikev2 policy my-policy
match address local 10.99.99.99
proposal my-prop
!
crypto ikev2 keyring my-key
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key Cisco123
!
crypto ikev2 profile my-profile
match identity remote any
authentication local pre-share
authentication remote pre-share
keyring local my-key
dpd 10 2 on-demand
!
crypto ipsec transform-set my-set esp-des esp-sha256-hmac
mode tunnel
!
crypto map my-map 10 ipsec-isakmp
set peer 200.0.0.165
set security-association lifetime seconds 86400
set transform-set my-set
set ikev2-profile my-profile
match address ACL-Interesting-Traffic
reverse-route
!
ip access-list extended ACL-Interesting-Traffic
10 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
int e0/0
crypto map my-map
crypto isakmp policy 10
encryption des
authentication pre-share
group 14
crypto isakmp key Cisco123 address 200.0.0.165
ip access-list extended Interesting-Traffic
permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto ipsec transform-set my-set esp-des esp-sha-hmac
mode tunnel
crypto map my-map 10 ipsec-isakmp
set peer 200.0.0.165
set transform-set my-set
match address Interesting-Traffic
int e0/0
crypto map my-map
ip route 192.168.1.0 255.255.255.0 200.0.0.165