I had to reconfigure an old Cisco 800 router from a legacy Crypto Based IKE Version 1 to a more secure IKE Version 2. Refer to this link for IKEv2 in a Cisco router.
These are the configuration components for IKEv2 in a Cisco router:
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
crypto ikev2 keyring IKEV2-KEYRING
peer SVG2-CUSTFW01
address 89.123.4.5
pre-shared-key cisco123
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 89.123.4.5 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local IKEV2-KEYRING
ip access-list extended IKEV2-ACL
permit ip host 10.30.2.90 host 172.16.100.210
crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
crypto map CMAP_IKEV2 10 ipsec-isakmp
set peer 89.123.4.5
set security-association lifetime seconds 86400
set transform-set IKEV2-TSET
set ikev2-profile IKEV2-PROFILE
match address IKEV2-ACL
interface FastEthernet4
crypto map CMAP_IKEV2
c800#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
c800(config)#crypto ikev2 proposal IKEV2-PROPOSAL
IKEv2 proposal should have atleast an encryption algorithm, an integrity algorithm and a dh group configured
c800(config-ikev2-proposal)#encryption ?
3des 3DES
aes-cbc-128 AES-CBC-128
aes-cbc-192 AES-CBC-192
aes-cbc-256 AES-CBC-256
c800(config-ikev2-proposal)#encryption aes-cbc-256
c800(config-ikev2-proposal)#integrity ?
md5 Message Digest 5
sha1 Secure Hash Standard
sha256 Secure Hash Standard 2 (256 bit)
sha384 Secure Hash Standard 2 (384 bit)
sha512 Secure Hash Standard 2 (512 bit)
c800(config-ikev2-proposal)#integrity sha256
c800(config-ikev2-proposal)#group ?
1 DH 768 MODP
14 DH 2048 MODP
15 DH 3072 MODP
16 DH 4096 MODP
19 DH 256 ECP
2 DH 1024 MODP
20 DH 384 ECP
24 DH 2048 (256 subgroup) MODP
5 DH 1536 MODP
c800(config-ikev2-proposal)#group 14
kellog-mvpn-gw01(config-ikev2-proposal)#exit
c800(config)#
c800(config)#crypto ikev2 policy ?
WORD Name of IKEv2 policy
c800(config)#crypto ikev2 policy IKEV2-POLICY
IKEv2 policy should have atleast one complete proposal attached
c800(config-ikev2-policy)#proposal ?
WORD Specify the name of proposal to be attached
c800(config-ikev2-policy)#proposal IKEV2-PROPOSAL
c800(config-ikev2-policy)#exit
c800(config)#
c800(config)#crypto ikev2 keyring ?
WORD Name of IKEv2 Keyring
c800(config)#crypto ikev2 keyring IKEV2-KEYRING
c800(config-ikev2-keyring)#?
IKEv2 Keyring commands:
exit Exit from crypto ikev2 keyring sub mode
no Negate a command or set its defaults
peer Configure a Peer and associated keys
c800(config-ikev2-keyring)#peer ?
WORD Name of the peer block
c800(config-ikev2-keyring)#peer ASAFW
c800(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
address Specify IPv4 address of peer
description Specify a description of this peer
exit Exit from crypto ikev2 keyring peer sub mode
hostname Hostname of peer
identity Specify IKE identity to use
no Negate values of a command
pre-shared-key specify the pre-shared key
c800(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
address Specify IPv4 address of peer
description Specify a description of this peer
exit Exit from crypto ikev2 keyring peer sub mode
hostname Hostname of peer
identity Specify IKE identity to use
no Negate values of a command
pre-shared-key specify the pre-shared key
c800(config-ikev2-keyring-peer)#address ?
A.B.C.D IPv4 Address
X:X:X:X::X/<0-128> IPv6 prefix
c800(config-ikev2-keyring-peer)#address 89.123.4.5
c800(config-ikev2-keyring-peer)#pre-shared-key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
local specify signing key
remote specify verifying key
c800(config-ikev2-keyring-peer)#pre-shared-key cisco123
c800(config-ikev2-keyring-peer)#exit
c800(config-ikev2-keyring)#exit
c800(config)#crypto ikev2 profile ?
WORD Name of IKEv2 Profile
c800(config)#crypto ikev2 profile IKEV2-PROFILE
% IKEv2 profile MUST have match identity or match certificate statements
c800(config-ikev2-profile)#?
IKEv2 profile commands:
aaa Specify AAA related configs
authentication Set authentication method
description Specify a description of this profile
dpd Enable IKE liveness check for peers
exit Exit from crypto ikev2 profile sub mode
identity Specify IKE identity to use
ivrf I-VRF of the profile
keyring Specify keyring to use
lifetime Set lifetime for ISAKMP security association
match Match values of peer
nat NAT-transparency
no Negate a command or set its defaults
pki Specify certificate authorities to trust
virtual-template Specify the virtual-template for dynamic interface creation.
c800(config-ikev2-profile)#match ?
address IP address
certificate Peer certificate attributes
fvrf fvrf of the profile
identity IKE identity
c800(config-ikev2-profile)#match identity ?
remote Remote identity
c800(config-ikev2-profile)#match identity remote ?
address IP Address(es)
email Fully qualified email string
fqdn Fully qualified domain name string
key-id key-id opaque string
c800(config-ikev2-profile)#match identity remote address ?
A.B.C.D IP address prefix
X:X:X:X::X/<0-128> IPv6 address/prefix-length
c800(config-ikev2-profile)#match identity remote address 89.123.4.5 ?
A.B.C.D specify mask
<cr>
c800(config-ikev2-profile)#match identity remote address 89.123.4.5 255.255.255.255
c800(config-ikev2-profile)#authentication ?
local Set local authentication method
remote Set remote authentication method
c800(config-ikev2-profile)#authentication local ?
ecdsa-sig ECDSA Signature
pre-share Pre-Shared Key
rsa-sig Rivest-Shamir-Adleman Signature
c800(config-ikev2-profile)#authentication local pre-share
c800(config-ikev2-profile)#authentication remote pre-share
c800(config-ikev2-profile)#keyring ?
WORD Keyring name
aaa AAA based pre-shared keys
c800(config-ikev2-profile)#keyring IKEV2-KEYRING ?
<cr>
c800(config-ikev2-profile)#keyring IKEV2-KEYRING
c800(config-ikev2-profile)#exit
c800(config)#crypto ipsec transform-set ?
WORD Transform set tag
c800(config)#crypto ipsec transform-set IKEV2-TSET ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>
c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes 256 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>
c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
c800(cfg-crypto-trans)#exit
c800(config)#crypto map CMAP_IKEV2 ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
c800(config)#crypto map CMAP_IKEV2 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
c800(config)#crypto map CMAP_IKEV2 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
c800(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
c800(config-crypto-map)#set ?
identity Identity restriction.
ikev2-profile Specify ikev2 Profile
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
c800(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
c800(config-crypto-map)#set peer 89.123.4.5
c800(config-crypto-map)#set transform-set IKEV2-TSET
c800(config-crypto-map)#set ikev2-profile ?
WORD Name the ikev2 profile
c800(config-crypto-map)#set ikev2-profile IKEV2-PROFILE
c800(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
c800(config-crypto-map)#match address 100
c800(config-crypto-map)#set security-association ?
idle-time Automatically delete IPSec SAs after a given idle period.
level specify a security association granularity level for identities
lifetime security association lifetime
replay Set replay checking.
c800(config-crypto-map)#set security-association lifetime ?
kilobytes Volume-based key duration
seconds Time-based key duration
c800(config-crypto-map)#set security-association lifetime seconds ?
<120-86400> Security association duration in seconds
c800(config-crypto-map)#set security-association lifetime seconds 86400
c800(config-crypto-map)#end
c800#write memory
Building configuration...
[OK]
c800#show run | section crypto
crypto pki token default removal timeout 0
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
crypto ikev2 keyring IKEV2-KEYRING
peer SVG2-CUSTFW01
address 89.123.4.5
pre-shared-key cisco123
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 89.123.4.5 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring IKEV2-KEYRING
crypto isakmp keepalive 60
crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
crypto map CMAP_IKEV2 10 ipsec-isakmp
set peer 89.123.4.5
set security-association lifetime seconds 86400
set transform-set IKEV2-TSET
set ikev2-profile IKEV2-PROFILE
match address IKEV2-ACL
Then just swap the Crypto Map under the WAN interface during a scheduled downtime.
interface FastEthernet4
no crypto map CMAP_IKEv1
crypto map CMAP_IKEV2
