Configuring an IPsec profile

IPsec profile configuration sets parameters used to encrypt data between IPsec peer devices. After configuration, an IPsec profile is activated by attaching it to a virtual tunnel interface (VTI).

Before configuring an IPsec profile, any IKE profile or IPsec proposal that is to be attached to it must be configured. There is a configuration example at the end of this task that shows all the steps in order.
You can configure an IPsec profile by completing the following task.
  1. From privileged EXEC mode, enter global configuration mode.
    
    device# configure terminal
    
  2. Create an IPsec profile and enter configuration mode for the profile.
    
    device(config)# ipsec profile prof_blue
    
    When an IPsec profile is created, the default IKEv2 profile (def-ike-prof) and the default IPsec proposal (def-ipsec-prop) are automatically attached to the profile.
  3. (Optional) Use the ike-profile command to attach an alternate IKEv2 profile to the IPsec profile.
    
    device(config-ipsec-profile-prof_blue)# ike-profile prof_blue
    
    This example attaches the prof-blue IKEv2 profile to the IPsec profile.
  4. (Optional) Use the proposal command to attach an alternate IPsec proposal to the IPsec profile.
    
    device(config-ipsec-profile-prof_blue)# proposal prop_blue
    
    This example attaches the prop-blue IPsec proposal to the IPsec profile.
  5. (Optional) Configure the lifetime of an IPsec security association (SA).
    The following example shows how to set the IPsec SA lifetime to 240 minutes (14400 seconds).
    
    device(config-ipsec-profile-prof_blue)# lifetime 240
    
  6. (Optional) Configure replay protection.
    Note: Extended sequence numbering (ESN) must also be enabled in the IPsec proposal when replay protection is configured. ESN is disabled by default.

    Replay protection prevents replay attacks by assigning a 64-bit sequence number to each encrypted packet. Processed packets are tracked by their sequence number at the receiving IPsec endpoint and verified against a sliding window of valid sequence numbers.

    Note: Clear IPsec security associations (SAs) for extended sequence numbering to go into effect.
    The following example enables replay protection.
    
    device(config-ipsec-profile-prof_blue)# replay-protection
    
  7. Return to privileged EXEC mode.
    
    device(config-ipsec-profile-prof_blue)# end
    
  8. Verify the IPsec profile configuration.
    
    device# show ipsec profile prof_blue
    
    =========================================================================
    Name                : prof_blue
    Ike Profile         : prof_blue
    Lifetime            : 14400 sec
    Anti-Replay Service : Enabled
    DH Group            : None
    Proposal            : prop_blue
    

The following example shows how to configure an IKEv2 authorization proposal, an IKEv2 profile, an IPsec proposal and an IPsec profile. The IKEv2 authorization proposal is used in the configuration of the IKEv2 profile. The IKEv2 profile and IPsec proposal are used in the configuration of the IPsec profile.


device# configure terminal
device(config)# ikev2 auth-proposal auth_blue           
device(config-ike-auth-proposal-auth_blue)# method local pre-shared
device(config-ike-auth-proposal-auth_blue)# method remote pre-shared
device(config-ike-auth-proposal-auth_blue)# pre-shared-key ps_key
device(config-ike-auth-proposal-auth_blue)# end

device# configure terminal
device(config)# ikev2 profile prof_blue 
device(config-ike-profile-prof_blue)# authentication auth_blue          
device(config-ike-profile-prof_blue)# local-identifier address 10.2.2.1
device(config-ike-profile-prof_blue)# remote-identifier address 10.3.3.3
device(config-ike-profile-prof_blue)# match-identity local address 10.2.2.1
device(config-ike-profile-prof_blue)# protected blue
device(config-ike-profile-prof_blue)# match-identity remote address 10.3.3.3
device(config-ike-profile-prof_blue)# end

device# configure terminal
device(config)# ipsec proposal prop_blue           
device(config-ipsec-proposal-prop_blue)# transform esp
device(config-ipsec-proposal-prop_blue)# encryption-algorithm aes-gcm-256
device(config-ipsec-proposal-prop_blue)# esn-enable
device(config-ipsec-proposal-prop_blue)# end

device# configure terminal
device(config)# ipsec profile prof_blue          
device(config-ipsec-profile-prof_blue)# ike-profile prof_blue
device(config-ipsec-profile-prof_blue)# proposal prop_blue
device(config-ipsec-profile-prof_blue)# lifetime 240
device(config-ipsec-profile-prof_blue)# replay-protection
device(config-ipsec-profile-prof_blue)# end

To activate the IPsec profile, bind it to a virtual tunnel interface (VTI) by using the tunnel protection ipsec profile command in tunnel interface configuration mode.