Configuring an IKEv2 policy

Internet Key Exchange version 2 (IKEv2) policy configuration specifies the IKEv2 proposal to be used by an IKEv2 policy and sets match parameters for the policy. An IKEv2 policy is used to protect IKEv2 peer negotiations.

Before configuring an IKEv2 policy, any IKEv2 proposal that is to be associated with the policy must be configured. There is an example at the end of this task that shows all the configuration steps in order.
There is a default IKEv2 policy (def-ike-policy) that does not require configuration. The default policy uses the default IKEv2 proposal (def-ike-prop) and matches:
  • All local addresses because a local address to match is not configured for the policy
  • Any VRF because a front-door VRF (FVRF) to match is not configured for the policy
Note: You should not configure overlapping policies. When multiple possible policy matches are configured, the policy that was created most recently is selected.

When the default policy is not acceptable, perform the following task to configure an IKEv2 policy. You only need to complete the steps for settings that you want to change.

  1. From privileged EXEC mode, enter global configuration mode.
    
    device# configure terminal
    
  2. Create an IKEv2 policy and enter configuration mode for the policy.
    
    device(config)# ikev2 policy pol_RTB
    
  3. (Optional) An IKEv2 policy must contain at least one IKEv2 proposal. By default, def-ike-prop is attached to an IKEv2 policy. Use the proposal command to configure an alternate IKEv2 proposal for the IKEv2 policy.
    
    device(config-ike-policy-pol_RTB)# proposal prop_RTB
    
    This example specifies using an IKEv2 proposal named prop_RTB for the policy.
  4. (Optional) When a local match address is not specified, the IKEv2 policy matches all local addresses. Use the match address-local command to specify a local IP address as a match parameter for the IKEv2 policy.
    
    device(config-ike-policy-pol_RTB)# match address-local 10.3.3.3 255.255.255.0
    
    This example matches the IKEv2 policy pol_RTB based on a specific local IPv4 address (10.3.3.3 255.255.255.0) and the source address of the IPsec tunnel.
  5. (Optional) When a front-door VRF (FVRF) to match is not specified, packets that match the local IP addresses specified for the policy are matched to any VRF. Use the match fvrf command to specify a front-door VRF for the policy.
    
    device(config-ike-policy-pol_RTB)# match fvrf vrf-name example_vrf
    
    This example specifies that the IKEv2 policy pol_RTB is matched when the local IPv4 address and the source address of the IPsec tunnel match and when the base VRF for the IPsec tunnel matches a VRF named example_vrf.
  6. Return to privileged EXEC mode.
    
    device(config-ike-policy-pol_RTB)# end
    
  7. Verify the IKEv2 policy configuration.
    
    device# show ikev2 policy pol_RTB
    
    =========================================================================
    Name                : pol_RTB
    Vrf                 : example_vrf
    Local address/Mask  : 10.3.3.3/255.255.255.0
    Proposal            : prop_RTB
    Ref Count           : 0
    

The following example configures an IKEv2 proposal named prop_RTB. It then configures an IKEv2 policy named pol_RTB using the proposal command to attach the IKEv2 proposal (prop_RTB) to the IKEv2 policy.


device# configure terminal
device(config)# ikev2 proposal prop_RTB           
device(config-ike-proposal-prop_RTB)# encryption aes-cbc-128
device(config-ike-proposal-prop_RTB)# integrity sha256
device(config-ike-proposal-prop_RTB)# prf sha256
device(config-ike-proposal-prop_RTB)# dhgroup 19 
device(config-ike-proposal-prop_RTB)# end

device# configure terminal
device(config)# ikev2 policy pol_RTB           
device(config-ike-policy-pol_RTB)# proposal prop_RTB
device(config-ike-policy-pol_RTB)# match address-local 10.3.3.3 255.255.255.0
device(config-ike-policy-pol_RTB)# match fvrf vrf-name example_vrf
device(config-ike-policy-pol_RTB)# end