Configuring an IKEv2 profile

Internet Key Exchange version 2 (IKEv2) profile configuration sets parameters that are exchanged in the second phase of IKEv2 peer negotiation. An IKEv2 profile specifies match identity criteria and the authentication proposal that is to be applied to an incoming connection. An IKEv2 profile may be used to protect a single VRF or all VRFs.

An IKEv2 session is a unique combination of local IP address, remote IP address, and IKEv2 profile. The IKEv2 profile determines the local identifier that is used for the session.

An IKEv2 profile is applied to an incoming IPsec connection by using match identity criteria presented by incoming IKEv2 connections such as IP address, fully qualified domain name (FQDN), and so on.

For an outgoing connection, the IKEv2 profile is determined by the IPsec profile used for the virtual tunnel interface (VTI).

A complete IKEv2 profile configuration contains a local identity, remote identity, local match identity, and remote match identity. When an IKEv2 profile configuration is incomplete, it is not used.

An IKEv2 VRF matches the forwarding VRF for the VTI.

Before configuring an IKEv2 profile, define and configure the IKEv2 authentication proposal that is to be associated with the profile. There is an example at the end of this task that shows all the configuration steps in order.

There is a default IKEv2 profile (def-ike-profile) that does not require configuration and that has the following settings:
  • Authentication proposal: def-ike-auth-prop
  • Local identifier address: 0.0.0.0.
  • Lifetime period for an IKEv2 security association: 2592000 seconds
  • Keepalive interval (the interval between sending IKEv2 messages to detect if a peer is still alive): 300 seconds
Note: The default IKEv2 profile protects any VRF.
Note: The method of authentication you select for IKEv2 transactions affects some IKEv2 profile configuration options. When configuring the local-identifier, remote-identifier and match-identity, it is recommended that you select:
  • Distinguished Name (DN), when using PKI-based authentication.
  • Fully Qualified Domain Name (FQDN), when using pre-shared key authentication.

When the default profile is not acceptable, perform the following task to configure an IKEv2 profile.

  1. From privileged EXEC mode, enter global configuration mode.
    
    device# configure terminal
    
  2. Create an IKEv2 profile and enter configuration mode for the profile.
    
    device(config)# ikev2 profile prof_blue
    
  3. (Optional) When an IKEv2 profile is created, the default IKEv2 authentication proposal (def-ike-auth-prop) is attached to the profile. Use the authentication command to attach an alternate authentication proposal to the profile.
    
    device(config-ike-profile-prof_blue)# authentication auth_blue
    
    This example attaches the auth-blue authentication proposal to the profile.
  4. Specify a local system ID to be sent with the payload during peer negotiation.
    
    device(config-ike-profile-prof_blue)# local-identifier address 10.2.2.1
    
  5. Specify a remote system ID to be sent with the payload during peer negotiation.
    
    device(config-ike-profile-prof_blue)# remote-identifier address 10.3.3.3
    
  6. An IKEv2 profile must contain at least one remote identity to match; it is not mandatory to specify a local identity to match. Specify a match identify for the peer device.
    The following example shows how to specify matching on a remote identity (IP address 10.3.3.3).
    
    device(config-ike-profile-prof_blue)# match-identity remote address 10.3.3.3
    
    The following example shows how to specify matching on a local identity (IP address 10.3.3.3).
    
    device(config-ike-profile-prof_blue)# match-identity local address 10.2.2.1
    
    When multiple match identities are configured, a match occurs when any statement is matched with a peer's local identity or remote identity in remote or local match identity respectively.
  7. Specify the name of the VRF that is to be protected.
    
    device(config-ike-profile-prof_blue)# protected blue
    
    This example specifies that the IKEv2 profile protects a VRF named blue.
  8. Return to privileged EXEC mode.
    
    device(config-ike-profile-prof_blue)# end
    
  9. Verify the IKEv2 profile configuration.
    
    device# show ikev2 profile prof_blue
    
    =========================================================================
    IKEv2 Profile       : prof_blue
    Auth Profile        : auth_blue
    Match Criteria      :
     Inside VRF         : blue
      Local:
       address 10.2.2.1
      Remote:
       address 10.3.3.3
    Local Identifier    : address 10.2.2.1
    Remote Identifier   : address 10.3.3.3
    Lifetime            : 2592000 sec
    Keepalive Check     : 300 sec
    Ref Count           : 0
    

The following example configures an IKEv2 authentication proposal named auth_blue. It then configures an IKEv2 profile named prof_blue using the authentication command to attach the IKEv2 authentication proposal to the IKEv2 profile.


device# configure terminal
device(config)# ikev2 auth-proposal auth_blue           
device(config-ike-auth-proposal-auth_blue)# method local pre-shared
device(config-ike-auth-proposal-auth_blue)# method remote pre-shared
device(config-ike-auth-proposal-auth_blue)# pre-shared-key ps_key
device(config-ike-auth-proposal-auth_blue)# end

device# configure terminal
device(config)# ikev2 profile prof_blue 
device(config-ike-profile-prof_blue)# authentication auth_blue          
device(config-ike-profile-prof_blue)# local-identifier address 10.2.2.1
device(config-ike-profile-prof_blue)# remote-identifier address 10.3.3.3
device(config-ike-profile-prof_blue)# match-identity local address 10.2.2.1
device(config-ike-profile-prof_blue)# protected blue
device(config-ike-profile-prof_blue)# match-identity remote address 10.3.3.3
device(config-ike-profile-prof_blue)# end

To use the IKEv2 profile for outgoing connections, attach it to an IPsec profile by using the ike-profile command in IPsec profile configuration mode.