This post is not going to go in depth into each command and the possible options. It is instead meant as a reference guide to all of the steps required for configuration. It is best for review/reference, not for learning from zero.
Configuration Example With IKEv1
Configure the ISAKMP Policy
crypto isakmp policy <#> hash <hash> encryption <type> group <diffie-hellman-group> authentication pre-share ! - PSK is the only type on the CCIE EI
Set a Pre-Shared Key for The Remote Routers
crypto isakmp key <KEY> address <prefix>
Configure the IPsec Transport Set
crypto ipsec transform-set <TS_NAME> <encryption-alg> <auth-algs> mode transport !- use transport for DMVPN
Configure IPsec profile
crypto ipsec profile <PROF_NAME> set transform-set <TS_NAME>
Apply to DMVPN Tunnel Interface
interface Tunnel1 tunnel protection ipsec profile <PROF_NAME>
Full Configuration Example
This is an example configuration for the hub of a phase 3 DMVPN network using IKEv1 protection.
crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp key DMVPN_KEY address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac mode transport ! crypto ipsec profile DMVPN set transform-set 3DES_MD5 ! interface Tunnel1 ip address 10.0.0.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source Gig0/1 tunnel mode gre multipoint ip nhrp network-id 100 ip nhrp authentication CISCO ip nhrp map multicast dynamic ip nhrp redirect tunnel protection ipsec profile DMVPN
Configuration Example with IKEv2
Configure IKEv2 KeyRing
crypto ikev2 keyring <KR_NAME> peer <NAME> address 0.0.0.0 0.0.0.0 pre-shared-key <KEY>
Configure IKEv2 Profile
crypto ikev2 profile <IKE_PROF_NAME> keyring <KR_NAME> authentication local pre-share authentication remote pre-share match address local 0.0.0.0 match identity remote address 0.0.0.0 0.0.0.0
Configure IPsec profile
crypto ipsec profile <IPSEC_PROF> set ikev2-profile <IKE_PROF_NAME>
I just wanted to make a note here that Cisco has a bunch of smart defaults to simplify IKEv2 configuration. By not setting a transform set, we are using the Cisco default. If you try to enter set transform-set default the parser will tell you that you aren’t allowed to configure it. See here for more smart defaults.
Apply To the Tunnel Interface
interface Tunnel1 tunnel protection ipsec profile <IPSEC_PROF>
Full Configuration Example
This is again the DMVPN hub configuration, but this time with IKEv2.
crypto ikev2 keyring IKEV2-KEYRING peer dmvpn-node address 0.0.0.0 0.0.0.0 pre-shared-key CISCO123 ! crypto ikev2 profile IKEV2-PROF keyring IKEV2-KEYRING authentication local pre-share authentication remote pre-share match address local 0.0.0.0 match identity remote address 0.0.0.0 0.0.0.0 ! crypto ipsec profile IPSEC-IKEV2 set ikev2-profile IKEV2-PROF ! interface Tunnel1 ip address 10.0.0.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source Gig0/1 tunnel mode gre multipoint ip nhrp network-id 100 ip nhrp authentication CISCO ip nhrp map multicast dynamic ip nhrp redirect tunnel protection ipsec profile IPSEC-IKEV2
what about using an isakmp profile? I got stung not using one on my spokes and my tunnels kept on flapping on my spoke routers. Basically, the spokes couldn’t authenticate with the hubs.
Cisco TAC spotted that one!
LikeLike
Forgot to mention that the isakmp profile is referenced under the IPSEC profile.
Thanks
LikeLike