Configuring an IKEv2 authentication proposal

Internet Key Exchange version 2 (IKEv2) authentication proposal configuration sets parameters that are used to authenticate IKEv2 peer devices. After configuration, an IKEv2 authentication proposal must be attached to an IKEv2 profile for use in IKEv2 negotiations.

There is a default IKEv2 authentication proposal (def-ike-auth-prop) that does not require configuration and has the following settings:
  • Method for local device authentication: pre-shared
  • Method for remote device authentication: pre-shared
  • Pre-shared key: $QG5HTT1Ebk1TVW5NLWIhVW5ATVMhLS0rc1VA

When the default IKEv2 authentication proposal is not acceptable, perform the following task to configure an IKEv2 authentication proposal.

  1. From privileged EXEC mode, enter global configuration mode.
    
    device# configure terminal
    
  2. Create an IKEv2 authentication proposal and enter configuration mode for the proposal.
    
    device(config)# ikev2 auth-proposal auth_blue
    
  3. Specify an authentication method for local device authentication.
    
    device(config-ike-auth-proposal-auth_blue)# method local pre-shared
    
    This example specifies using a pre-shared key for local device authentication.
  4. Specify an authentication method for remote device authentication.
    
    device(config-ike-auth-proposal-auth_blue)# method remote pre-shared
    
    This example specifies using a pre-shared key for remote device authentication.
  5. (Optional) There is a default pre-shared key that is assigned to an IKEv2 authentication proposal. Use the pre-shared-key command to specify an alternate pre-shared key. The following example configures a text-based pre-shared key (ps_key) for the proposal.
    
    device(config-ike-auth-proposal-auth_blue)# pre-shared-key ps_key
    
  6. Return to privileged EXEC mode.
    
    device(config-ike-auth-proposal-auth_blue)# end
    
  7. Verify the IKEv2 authentication proposal configuration.
    
    device# show ikev2 auth-proposal auth_blue
    
    =========================================================================
    Ikev2 Auth-Proposal : auth_blue
    Local Auth Method   : pre_shared
    Remote Auth Method  : pre_shared
    pre-share-key       : $cTJkQ1x4Wnx7UQ==
    
    The encrypted form of the pre-shared key is displayed in the output of the show ikev2 auth-proposal command.

The following example creates and configures an IKEv2 authentication proposal named auth_blue.


device# configure terminal
device(config)# ikev2 auth-proposal auth_blue           
device(config-ike-auth-proposal-auth_blue)# method local pre-shared
device(config-ike-auth-proposal-auth_blue)# method remote pre-shared
device(config-ike-auth-proposal-auth_blue)# pre-shared-key ps_key
device(config-ike-auth-proposal-auth_blue)# end

To use the IKEv2 authentication proposal in IKEv2 negotiations, attach it to an IKEv2 profile by using the authentication command in IKEv2 profile configuration mode.