IKEv2配置说明

IKEv2命令说明

IKEv2 Proposal

IKEv2 proposal是IKE SA中协商转换集（Transforms Collection）在IKE_SA_INIT交换中的一部分。在协商过程中转换类型如下：

Encryption algorithm
Integrity algorithm
Pseudo-Random Function (PRF) algorithm
Diffie-Hellman (DH) group

R1(config)#crypto ikev2 proposal ikev2-proposal 
R1(config-ikev2-proposal)#?
IKEv2 Proposal commands:
  encryption  Set encryption algorithm(s) for proposal
  exit        Exit from IKEv2 proposal configuration mode
  group       Set the Diffie-Hellman group(s)
  integrity   Set integrity hash algorithm(s) for proposal
  no          Negate a command or set its defaults

IKEv2 policy

IKEv2 policy包含用于在SA_INIT交换中协商加密，完整性，PRF算法和DH组。

R1(config)#crypto ikev2 policy ikev2-policy 
R1(config-ikev2-policy)#?
IKEv2 Policy commands:
  exit      Exit from IKEv2 policy configuration mode
  match     Match values of local fields
  no        Negate a command or set its defaults
  proposal  Specify Proposal

IKEv2 Keyring

IKEv2 Keyring是对称和非对称预共享密钥的存储库。

R1(config)#crypto ikev2 keyring ikev2-keyring
R1(config-ikev2-keyring)#?
IKEv2 Keyring commands:
  exit  Exit from crypto ikev2 keyring sub mode
  no    Negate a command or set its defaults
  peer  Configure a Peer and associated keys

IKEv2 Profile

IKEv2 profile是IKE SA的不可协商（NonNegotiable）参数的存储库，如本地或远程身份和身份验证方法和可用相匹配的配置文件，经过身份验证的对等体提供的服务。

R1(config)#crypto ikev2 profile ikev2-profile
R1(config-ikev2-profile)#?
IKEv2 profile commands:
  aaa               Specify AAA related configs
  authentication    Set authentication method
  config-exchange   config-exchange options
  description       Specify a description of this profile
  dpd               Enable IKE liveness check for peers
  exit              Exit from crypto ikev2 profile sub mode
  identity          Specify IKE identity to use
  initial-contact   initial-contact processing
  ivrf              I-VRF of the profile
  keyring           Specify keyring to use
  lifetime          Set lifetime for ISAKMP security association
  match             Match values of peer
  nat               NAT-transparency
  no                Negate a command or set its defaults
  pki               Specify certificate authorities to trust
  redirect          IKEv2 Redirect Mechanism for load-balancing
  virtual-template  Specify the virtual-template for dynamic interface

IPsec Transform-set

crypto ipsec transform-set是定义变换集（To define a transform set），定义适合的安全协议和加密算法。

R1(config)#crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac
Crypto transform configuration commands:
  default  Set a command to its defaults
  exit     Exit from crypto transform configuration mode
  mode     encapsulation mode (transport/tunnel)
  no       Negate a command or set its defaults

crypto map

crypto 集合，集合内容如下。

set peer　　　　　　关联IPsec对等体
set transform-set　　关联转换集
set ikev2-profile　　关联SA_INIT交换中协商参数
match address　　定义感兴趣数据流

R2(config)#crypto map ikev2-map 10 ipsec-isakmp
Crypto Map configuration commands:
  default        Set a command to its defaults
  description    Description of the crypto map statement policy
  dialer         Dialer related commands
  exit           Exit from crypto map configuration mode
  match          Match values.
  no             Negate a command or set its defaults
  qos            Quality of Service related commands
  reverse-route  Reverse Route Injection.
  set            Set values for encryption/decryption

配置步骤

通过ikev2 proposal定义 Encryption，Hash Algorithm，Diffie-Hellman group，这一步类似于IKEv1中的“crypto isakmp policy”。
通过policy去调用proposal，这样做的好处是，当需要配置多个VPN的时候，不需要每一个VPN去配置Encryption，Hash Algorithm，Diffie-Hellman group这些信息，直接调用之前配置好的proposal即可。
配置keying，在keying中配置对等体的IP地址，并且配置预共享密钥。
配置profile配置集合，确定认证方式和调用秘钥
配置transform-set指定ipsec vpn模式，传输模式or隧道模式。
配置感兴趣的数据流，通过ACL。
配置crypto map集合，并在接口下应用。

因为配置命令比较麻烦，我经常使用PPKP（proposal->policy->keyring->profile）来简化配置思路。

配置示例

crypto ikev2 proposal ikev2-proposal
 encryption1 aes-cbc-256
 integrity2 sha512
 group3 16
!
crypto ikev2 policy ikev2-policy 
 match fvrf4 any
 proposal5 ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
 peer6 ccie43413
  address7 12.1.1.1
  pre-shared-key8 local ccie43413
  pre-shared-key9 remote ccie43413
 !
!
crypto ikev2 profile ikev2-profile
 match identity remote address 12.1.1.1 255.255.255.255 10
 authentication remote pre-share11
 authentication local pre-share 12
 keyring local ikev2-keyring13
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp 
 set peer 12.1.1.1
 set transform-set ikev2-transform-set 
 set ikev2-profile ikev2-profile
 match address vpn
!
ip access-list extended vpn
 permit ip host 10.1.1.1 host 20.1.1.1
!

参考文献

1.Configuring Internet Key Exchange Version 2 (IKEv2)

2.IKEv1/IKEv2 Between Cisco IOS and strongSwan Configuration Example

3.IPSec Network Security Commands

脚注

Specifies one or more transforms of the encryption type. ↩
Specifies one or more transforms of the integrity algorithm type ↩
Specifies the Diffie-Hellman (DH) group identifier.A generally acccepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Either group 14 or group 24 can be selected to meet this guideline ↩
(Optional) Matches the policy based on a user-configured FVRF or any FVRF.这部分详细，请参阅Configuring VPNs in VRF Mode ↩
Specifies the proposals that must be used with the policy. ↩
Defines the peer or peer group and enters IKEv2 keyring peer configuration mode. ↩
Specifies an IPv4 or IPv6 address or range for the peer. ↩
Specifies the preshared key for the peer ↩
Specifies the preshared key for the peer ↩
Use the match statements to select an IKEv2 profile for a peer: ↩
Specifies the local or remote authentication method. ↩
Specifies the local or remote authentication method. ↩
Specifies the local or AAA-based keyring that must be used with the local and remote preshared key authentication method ↩

5mouth Archive Project Stay Hungry · Stay Foolish