3.2.4 SVTI using IKEv2

BASIC CONFIGURATION

R1:

int f0/0

ip address 1.1.1.1 255.255.255.0

no shut

int l0

ip address 10.1.1.1 255.255.255.255

ip route 10.1.2.0 255.255.255.0 tunnel0

ip route 0.0.0.0 0.0.0.0 1.1.1.10

R2:

int f0/0

ip address 2.2.2.1 255.255.255.0

no shut

int l0

ip address 10.1.2.1 255.255.255.255

ip route 10.1.1.0 255.255.255.0 tunnel0

ip route 0.0.0.0 0.0.0.0 2.2.2.10

R3:

int f0/0

ip address 1.1.1.10 255.255.255.0

no shut

int f0/1

ip address 2.2.2.10 255.255.255.0

no shut

IKEV2 CONFIGURATION

R1:

crypto ikev2 proposal PROPOSAL

encryption 3des

integrity md5

group 2

!

crypto ikev2 policy POLICY

match fvrf any

proposal PROPOSAL

!

crypto ikev2 keyring KEY1

peer R2

address 2.2.2.1

pre-shared-key cisco123

!

!

!

crypto ikev2 profile PROFILE

match fvrf any

match identity remote address 2.2.2.1

authentication local pre-share

authentication remote pre-share

keyring local KEY1

!

!

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!

crypto ipsec profile IPSECPROFILE

set transform-set TSET

set ikev2-profile PROFILE

!

interface tunnel0

ip address 192.168.1.1 255.255.255.0

tunnel source f0/0

tunnel mode ipsec ipv4

tunnel destination 2.2.2.1

tunnel protection ipsec profile IPSECPROFILE

!

R2:

crypto ikev2 proposal PROPOSAL

encryption 3des

integrity md5

group 2

!

crypto ikev2 policy POLICY

match fvrf any

proposal PROPOSAL

!

crypto ikev2 keyring KEY1

peer R1

address 1.1.1.1

pre-shared-key cisco123

!

!

!

crypto ikev2 profile PROFILE

match fvrf any

match identity remote address 1.1.1.1

authentication local pre-share

authentication remote pre-share

keyring local KEY1

!

!

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!

crypto ipsec profile IPSECPROFILE

set transform-set TSET

set ikev2-profile PROFILE

!

interface tunnel0

ip address 192.168.1.2 255.255.255.0

tunnel source f0/0

tunnel mode ipsec ipv4

tunnel destination 1.1.1.1

tunnel protection ipsec profile IPSECPROFILE

!