IKEv2 with pre-shared key authentication configuration example
Network requirements
As shown in Figure 147, configure an IKE-based IPsec tunnel between Device A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure Device A and Device B to use the default IKEv2 proposal and the default IKEv2 policy in IKEv2 negotiation to set up IPsec SAs.
Configure the two devices to use the pre-shared key authentication method in IKEv2 negotiation.
Figure 142: Network diagram
Configuration procedures
Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<DeviceA> system-view [DeviceA] acl advanced 3101 [DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[DeviceA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceA-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceA-ipsec-transform-set-tran1] quit
# Create an IKEv2 keychain named keychain1.
[DeviceA] ikev2 keychain keychain1
# Create an IKEv2 peer named peer1.
[DeviceA-ikev2-keychain-keychain1] peer peer1
# Specify the peer IP address 2.2.2.2/16.
[DeviceA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 16
# Specify the peer ID, which is the IP address 2.2.2.2.
[DeviceA-ikev2-keychain-keychain1-peer-peer1] identity address 2.2.2.2
# Specify abcde in plain text as the pre-shared key to be used with the peer at 2.2.2.2.
[DeviceA-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde [DeviceA-ikev2-keychain-keychain1-peer-peer1] quit [DeviceA-ikev2-keychain-keychain1] quit
# Create an IKEv2 profile named profile1.
[DeviceA] ikev2 profile profile1
# Specify the local authentication method as pre-shared key.
[DeviceA-ikev2-profile-profile1] authentication-method local pre-share
# Specify the remote authentication method as pre-shared key.
[DeviceA-ikev2-profile-profile1] authentication-method remote pre-share
# Specify the IKEv2 keychain keychain1.
[DeviceA-ikev2-profile-profile1] keychain keychain1
# Specify the peer ID that the IKEv2 profile matches. The peer ID is the IP address 2.2.2.2/16.
[DeviceA-ikev2-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0 [DeviceA-ikev2-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[DeviceA] ipsec policy map1 10 isakmp
# Specify the remote IP address 2.2.2.2 for the IPsec tunnel.
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
# Specify the IPsec transform set tran1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify the IKE profile profile1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1 [DeviceA-ipsec-policy-isakmp-map1-10] quit
# Apply the IPsec policy map1 to interface GigabitEthernet 2/0/1.
[DeviceA] interface gigabitethernet 2/0/1 [DeviceA-GigabitEthernet2/0/1] ipsec apply policy map1 [DeviceA-GigabitEthernet2/0/1] quit
# Configure a static route to the subnet where Host B resides. The command uses the direct next hop address (1.1.1.2) as an example.
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
Configure Device B:
# Assign an IP address to each interface. (Details not shown.)
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
<DeviceB> system-view [DeviceB] acl advanced 3101 [DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [DeviceB-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[DeviceB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceB-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceB-ipsec-transform-set-tran1] quit
# Create an IKEv2 keychain named keychain1.
[DeviceB] ikev2 keychain keychain1
# Create an IKEv2 peer named peer1.
[DeviceB-ikev2-keychain-keychain1] peer peer1
# Specify the peer IP address 1.1.1.1/16.
[DeviceB-ikev2-keychain-keychain1-peer-peer1] address 1.1.1.1 16
# Specify the peer ID, which is the IP address 1.1.1.1.
[DeviceB-ikev2-keychain-keychain1-peer-peer1] identity address 1.1.1.1
# Specify abcde in plain text as the pre-shared key to be used with the peer at 1.1.1.1.
[DeviceB-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde [DeviceB-ikev2-keychain-keychain1-peer-peer1] quit [DeviceB-ikev2-keychain-keychain1] quit
# Create an IKEv2 profile named profile1.
[DeviceB] ikev2 profile profile1
# Specify the local authentication method as pre-shared key.
[DeviceB-ikev2-profile-profile1] authentication-method local pre-share
# Specify the remote authentication method as pre-shared key.
[DeviceB-ikev2-profile-profile1] authentication-method remote pre-share
# Specify the IKEv2 keychain keychain1.
[DeviceB-ikev2-profile-profile1] keychain keychain1
# Specify the peer ID that the IKEv2 profile matches. The peer ID is the IP address 1.1.1.1/16.
[DeviceA-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0 [DeviceA-ikev2-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
[DeviceB] ipsec policy use1 10 isakmp
# Specify the remote IP address 1.1.1.1 for the IPsec tunnel.
[DeviceB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101
# Specify the IPsec transform set tran1 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1
# # Specify the IKE profile profile1 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-10] ikev2-profile profile1 [DeviceB-ipsec-policy-isakmp-use1-10] quit
# Apply the IPsec policy use1 to interface GigabitEthernet 2/0/1.
[DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] ipsec apply policy use1 [DeviceB-GigabitEthernet2/0/1] quit
# Configure a static route to the subnet where Host A resides. The command uses the direct next hop address (2.2.2.1) as an example.
[DeviceB] ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
Verifying the configuration
# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKEv2 negotiation. After IPsec SAs are successfully negotiated by IKEv2, traffic between the two subnets is IPsec protected.
# Display the IKEv2 proposal and IKEv2 policy on Device A.
[DeviceA] display ikev2 proposal IKEv2 proposal : default Encryption: AES-CBC-128 3DES-CBC Integrity: SHA1 MD5 PRF: SHA1 MD5 DH Group: MODP1536/Group5 MODP1024/Group2 [DeviceA] display ikev2 policy IKEv2 policy : default Match VRF : any
# Display the IKEv2 SA on Device A.
[DeviceA] display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 1 1.1.1.1/500 2.2.2.2/500 EST Status: IN-NEGO: Negotiating, EST: Establish, DEL:Deleting
# Display the IPsec SAs on Device A.
[DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet2/0/1 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect forward secrecy: Path MTU: 1456 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: IP [Inbound ESP SAs] SPI: 3264152513 (0xc28f03c1) Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: active [Outbound ESP SAs] SPI: 738451674 (0x2c03e0da) Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: active
# Display the IKEv2 proposal, IKEv2 policy, IKEv2 SA and IPsec SAs on Device B.
[DeviceB] display ikev2 proposal [DeviceB] display ikev2 policy [DeviceB] display ikev2 sa [DeviceB] display ipsec sa