IKEv2 with pre-shared key authentication configuration example

As shown in Figure 147, configure an IKE-based IPsec tunnel between Device A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.

• Configure Device A and Device B to use the default IKEv2 proposal and the default IKEv2 policy in IKEv2 negotiation to set up IPsec SAs.

• Configure the two devices to use the pre-shared key authentication method in IKEv2 negotiation.

1. Configure Device A:

   # Assign an IP address to each interface. (Details not shown.)

   # Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.

   <DeviceA> system-view
   [DeviceA] acl advanced 3101
   [DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
   [DeviceA-acl-ipv4-adv-3101] quit
   

   # Create an IPsec transform set named tran1.

   [DeviceA] ipsec transform-set tran1
   

   # Set the packet encapsulation mode to tunnel.

   [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
   

   # Use the ESP protocol for the IPsec transform set.

   [DeviceA-ipsec-transform-set-tran1] protocol esp
   

   # Specify the encryption and authentication algorithms.

   [DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
   [DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
   [DeviceA-ipsec-transform-set-tran1] quit
   

   # Create an IKEv2 keychain named keychain1.

   [DeviceA] ikev2 keychain keychain1
   

   # Create an IKEv2 peer named peer1.

   [DeviceA-ikev2-keychain-keychain1] peer peer1
   

   # Specify the peer IP address 2.2.2.2/16.

   [DeviceA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 16
   

   # Specify the peer ID, which is the IP address 2.2.2.2.

   [DeviceA-ikev2-keychain-keychain1-peer-peer1] identity address 2.2.2.2
   

   # Specify abcde in plain text as the pre-shared key to be used with the peer at 2.2.2.2.

   [DeviceA-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde
   [DeviceA-ikev2-keychain-keychain1-peer-peer1] quit
   [DeviceA-ikev2-keychain-keychain1] quit
   

   # Create an IKEv2 profile named profile1.

   [DeviceA] ikev2 profile profile1
   

   # Specify the local authentication method as pre-shared key.

   [DeviceA-ikev2-profile-profile1] authentication-method local pre-share
   

   # Specify the remote authentication method as pre-shared key.

   [DeviceA-ikev2-profile-profile1] authentication-method remote pre-share
   

   # Specify the IKEv2 keychain keychain1.

   [DeviceA-ikev2-profile-profile1] keychain keychain1
   

   # Specify the peer ID that the IKEv2 profile matches. The peer ID is the IP address 2.2.2.2/16.

   [DeviceA-ikev2-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0
   [DeviceA-ikev2-profile-profile1] quit
   

   # Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.

   [DeviceA] ipsec policy map1 10 isakmp
   

   # Specify the remote IP address 2.2.2.2 for the IPsec tunnel.

   [DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
   

   # Specify ACL 3101 to identify the traffic to be protected.

   [DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
   

   # Specify the IPsec transform set tran1 for the IPsec policy.

   [DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
   

   # Specify the IKE profile profile1 for the IPsec policy.

   [DeviceA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1
   [DeviceA-ipsec-policy-isakmp-map1-10] quit
   

   # Apply the IPsec policy map1 to interface GigabitEthernet 2/0/1.

   [DeviceA] interface gigabitethernet 2/0/1
   [DeviceA-GigabitEthernet2/0/1] ipsec apply policy map1
   [DeviceA-GigabitEthernet2/0/1] quit
   

   # Configure a static route to the subnet where Host B resides. The command uses the direct next hop address (1.1.1.2) as an example.

   [DeviceA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
   

2. Configure Device B:

   # Assign an IP address to each interface. (Details not shown.)

   # Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.

   <DeviceB> system-view
   [DeviceB] acl advanced 3101
   [DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
   [DeviceB-acl-ipv4-adv-3101] quit
   

   # Create an IPsec transform set named tran1.

   [DeviceB] ipsec transform-set tran1
   

   # Set the packet encapsulation mode to tunnel.

   [DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
   

   # Use the ESP protocol for the IPsec transform set.

   [DeviceB-ipsec-transform-set-tran1] protocol esp
   

   # Specify the encryption and authentication algorithms.

   [DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
   [DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
   [DeviceB-ipsec-transform-set-tran1] quit
   

   # Create an IKEv2 keychain named keychain1.

   [DeviceB] ikev2 keychain keychain1
   

   # Create an IKEv2 peer named peer1.

   [DeviceB-ikev2-keychain-keychain1] peer peer1
   

   # Specify the peer IP address 1.1.1.1/16.

   [DeviceB-ikev2-keychain-keychain1-peer-peer1] address 1.1.1.1 16
   

   # Specify the peer ID, which is the IP address 1.1.1.1.

   [DeviceB-ikev2-keychain-keychain1-peer-peer1] identity address 1.1.1.1
   

   # Specify abcde in plain text as the pre-shared key to be used with the peer at 1.1.1.1.

   [DeviceB-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde
   [DeviceB-ikev2-keychain-keychain1-peer-peer1] quit
   [DeviceB-ikev2-keychain-keychain1] quit
   

   # Create an IKEv2 profile named profile1.

   [DeviceB] ikev2 profile profile1
   

   # Specify the local authentication method as pre-shared key.

   [DeviceB-ikev2-profile-profile1] authentication-method local pre-share
   

   # Specify the remote authentication method as pre-shared key.

   [DeviceB-ikev2-profile-profile1] authentication-method remote pre-share
   

   # Specify the IKEv2 keychain keychain1.

   [DeviceB-ikev2-profile-profile1] keychain keychain1
   

   # Specify the peer ID that the IKEv2 profile matches. The peer ID is the IP address 1.1.1.1/16.

   [DeviceA-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0
   [DeviceA-ikev2-profile-profile1] quit
   

   # Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.

   [DeviceB] ipsec policy use1 10 isakmp
   

   # Specify the remote IP address 1.1.1.1 for the IPsec tunnel.

   [DeviceB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1
   

   # Specify ACL 3101 to identify the traffic to be protected.

   [DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101
   

   # Specify the IPsec transform set tran1 for the IPsec policy.

   [DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1
   

   # # Specify the IKE profile profile1 for the IPsec policy.

   [DeviceB-ipsec-policy-isakmp-use1-10] ikev2-profile profile1
   [DeviceB-ipsec-policy-isakmp-use1-10] quit
   

   # Apply the IPsec policy use1 to interface GigabitEthernet 2/0/1.

   [DeviceB] interface gigabitethernet 2/0/1
   [DeviceB-GigabitEthernet2/0/1] ipsec apply policy use1
   [DeviceB-GigabitEthernet2/0/1] quit
   

   # Configure a static route to the subnet where Host A resides. The command uses the direct next hop address (2.2.2.1) as an example.

   [DeviceB] ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
   

# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKEv2 negotiation. After IPsec SAs are successfully negotiated by IKEv2, traffic between the two subnets is IPsec protected.

# Display the IKEv2 proposal and IKEv2 policy on Device A.

[DeviceA] display ikev2 proposal
IKEv2 proposal : default
  Encryption: AES-CBC-128 3DES-CBC
  Integrity: SHA1 MD5
  PRF: SHA1 MD5
  DH Group: MODP1536/Group5 MODP1024/Group2
[DeviceA] display ikev2 policy
IKEv2 policy : default
  Match VRF : any

# Display the IKEv2 SA on Device A.

[DeviceA] display ikev2 sa
Tunnel ID   Local                       Remote                      Status
---------------------------------------------------------------------------
  1        1.1.1.1/500                  2.2.2.2/500                  EST
Status:
IN-NEGO: Negotiating, EST: Establish, DEL:Deleting

# Display the IPsec SAs on Device A.

[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet2/0/1
-------------------------------

  -----------------------------
  IPsec policy: map1
  Sequence number: 10
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect forward secrecy:
    Path MTU: 1456
    Tunnel:
        local  address: 1.1.1.1
        remote address: 2.2.2.2
    Flow:
    sour addr: 10.1.1.0/255.255.255.0  port: 0  protocol: IP
    dest addr: 10.1.2.0/255.255.255.0  port: 0  protocol: IP

    [Inbound ESP SAs]
      SPI: 3264152513 (0xc28f03c1)
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1843200/3484
      Max received sequence-number:
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: N
      Status: active

    [Outbound ESP SAs]
      SPI: 738451674 (0x2c03e0da)
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1843200/3484
      Max received sequence-number:
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: N
      Status: active

# Display the IKEv2 proposal, IKEv2 policy, IKEv2 SA and IPsec SAs on Device B.

[DeviceB] display ikev2 proposal
[DeviceB] display ikev2 policy
[DeviceB] display ikev2 sa
[DeviceB] display ipsec sa