.html.resources/82DDBF6F-9910-4ED0-B240-1A5CA3B28D2D.png)
FLEXVPN (S2S)
R1:
int f0/0
ip address 1.1.1.1 255.255.255.0
no shut
int l0
ip address 10.1.1.1 255.255.255.255
ip route 0.0.0.0 0.0.0.0 1.1.1.10
INTERNET:
int f0/0
ip address 1.1.1.10 255.255.255.0
no shut
!
int f0/1
ip address 2.2.2.10 255.255.255.0
no shut
R2:
int f0/0
ip address 2.2.2.1 255.255.255.0
no shut
int l0
ip address 10.1.2.1 255.255.255.255
ip route 0.0.0.0 0.0.0.0 2.2.2.10
IKEV2 CONFIGURATION
R1:
access-list 101 permit ip host 10.1.1.1 host 10.1.2.1 //Interested traffic//
crypto ikev2 proposal PRO //IKEv2 proposal which must contain at least one encryption, integrity algorithm and group//
encryption 3des aes-cbc-256 des
integrity sha512 sha384
group 5 19 2 20
!
crypto ikev2 policy 10
proposal PRO
!
crypto ikev2 keyring KEY1
peer R2 //we can configure key on peer basis//
address 2.2.2.1
pre-shared-key cisco123
!
crypto ikev2 profile L2L
authentication local pre-share //local authentication (say in R1) method for remote peer (R2). It can contain more than one method to authentication //
authentication remote pre-share //remote authentication (in R2) for this peer (R1). Here we can define only one method.
match identity remote address 2.2.2.1 //IDR (Identity of the peer) field in the message exchange//
keyring local KEY1
!
crypto ipsec transform-set TSET esp-3des esp-sha256-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 2.2.2.1
set transform-set TSET
set ikev2-profile L2L
match address 101
!
int f0/0
crypto map CMAP //Apply crypto map to an interface//
R2:
access-list 101 permit ip host 10.1.2.1 host 10.1.1.1
crypto ikev2 proposal PRO
encryption 3des aes-cbc-256 des
integrity sha512 sha384
group 5 19 2 20
!
crypto ikev2 policy 10
proposal PRO
!
crypto ikev2 keyring KEY1
peer R2
address 1.1.1.1
pre-shared-key cisco123
!
crypto ikev2 profile L2L
authentication local pre-share
authentication remote pre-share
match identity remote address 1.1.1.1
keyring local KEY1
!
crypto ipsec transform-set TSET esp-3des esp-sha256-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TSET
set ikev2-profile L2L
match address 101
!
int f0/0
crypto map CMAP