Configuring an IKEv2 proposal

Internet Key Exchange version 2 (IKEv2) proposal configuration sets parameters that are exchanged in the first phase of IKEv2 peer negotiations. After configuration, an IKEv2 proposal must be attached to an IKEv2 policy for use in IKEv2 negotiations.

There is a default IKEv2 proposal (def-ike-prop) that does not require configuration and has the following settings:
  • Encryption algorithm: AES-CBC-256
  • PRF algorithm: SHA-384
  • Integrity algorithm: SHA-384
  • DH group: 20
When the default values are not acceptable, perform the following task to configure an IKEv2 proposal. You only need to complete the steps for settings that you want to change.
  1. From privileged EXEC mode, enter global configuration mode.
    
    device# configure terminal
    
  2. Create an IKEv2 proposal and enter configuration mode for the proposal.
    
    device(config)# ikev2 proposal prop_RTB
    
  3. Configure an encryption algorithm for the proposal.
    
    device(config-ike-proposal-prop_RTB)# encryption aes-cbc-128
    
    This step adds the AES-CBC-128 algorithm to the encryption algorithms configured for prop_RTB. Because the AES-CBC-256 algorithm is configured by default, both the AES-CBC-256 and AES-CBC-128 algorithms are configured for prop_RTB after executing this step. Configuration of multiple encryption algorithms is allowed.
    When you want to configure the AES-CBC-128 algorithm only for the proposal, you must first add the AES-CBC-128 algorithm and then remove the default algorithm by using the no encryption aes-cbc-256 command.
  4. Configure an integrity algorithm for the proposal.
    
    device(config-ike-proposal-prop_RTB)# integrity sha256
    
    This step adds the SHA-256 algorithm to the integrity algorithms configured for prop_RTB. Because the SHA-384 algorithm is configured by default, both the SHA-384 and SHA-256 algorithms are configured for prop_RTB after executing this step. Configuration of multiple integrity algorithms is allowed.
    When you want to configure the SHA-256 algorithm only for the proposal, you must first add the SHA-256 algorithm and then remove the default algorithm by using the no integrity sha384 command.
  5. Configure a pseudorandom function (PRF) for the proposal.
    
    device(config-ike-proposal-prop_RTB)# prf sha256
    
    This step adds the SHA-256 algorithm to the PRF algorithms configured for prop_RTB. Because the SHA-384 algorithm is configured by default, both the SHA-384 and SHA-256 algorithms are configured for prop_RTB after executing this step. Configuration of multiple PRF algorithms is allowed.
    When you want to configure the SHA-256 algorithm only for the proposal, you must first add the SHA-256 algorithm and then remove the default algorithm by using the no prf sha384 command.
  6. Configure a DH group for the proposal.
    
    device(config-ike-proposal-prop_RTB)# dhgroup 19
    
    This step adds DH group 19 to the DH groups configured for prop_RTB. Because DH group 20 is configured by default, both DH groups (19 and 20) are configured for prop_RTB after executing this step. Configuration of multiple DH groups is allowed.
    When you want to configure DH group 19 only for the proposal, you must first add DH group 19 and then remove the default DH group by using the no dhgroup 20 command.
  7. Return to privileged EXEC mode.
    
    device(config-ike-proposal-prop_RTB)# end
    
  8. Verify the IKEv2 proposal configuration.
    
    device# show ikev2 proposal prop_RTB
    
    =========================================================================
    Name       : prop_RTB
    Encryption : AES-CBC-256,AES-CBC-128
    Integrity  : sha384,sha256
    PRF        : sha384,sha256
    DH Group   : 384_ECP/Group 20,256_ECP/Group 19
    Ref Count  : 0
    

The following example shows how to create and configure an IKEv2 proposal named prop-RTB. This example also shows how to remove default configurations; that is, by first configuring an alternate algorithm or DH group and then removing the default configuration.

device# configure terminal
device(config)# ikev2 proposal prop_RTB           
device(config-ike-proposal-prop_RTB)# encryption aes-cbc-128
device(config-ike-proposal-prop_RTB)# no encryption aes-cbc-256
device(config-ike-proposal-prop_RTB)# integrity sha256
device(config-ike-proposal-prop_RTB)# no intergrity sha384
device(config-ike-proposal-prop_RTB)# prf sha256
device(config-ike-proposal-prop_RTB)# no prf sha384
device(config-ike-proposal-prop_RTB)# dhgroup 19
device(config-ike-proposal-prop_RTB)# no dhgroup 20 
device(config-ike-proposal-prop_RTB)# end

To use the IKEv2 proposal in IKEv2 negotiations, attach it to an IKEv2 policy by using the proposal command in IKEv2 policy configuration mode.