FlexVPN is a versatile VPN framework by Cisco that
simplifies the configuration and deployment of various types of VPNs because Cisco
supports various types of VPNs and many of them require different configurations to show verification commands. FlexVPN is designed to support site-to-site,
hub-and-spoke, remote access, and other VPN configurations but The only VPN type that FlexVPN doesn’t cover
is GETVPN.
Here are some key points about FlexVPN:
Based on IKEv2: FlexVPN utilizes the Internet Key Exchange
version 2 (IKEv2) protocol for all its VPN types, which offers improved
security and features over IKEv1.
Smart Defaults: It employs smart defaults based on best
practices, minimizing the required configuration efforts.
Unified Solution: FlexVPN is a unified solution that covers
all VPN types except Group Encrypted Transport VPN (GETVPN), making it easier
to manage and operate.
Supports Various Authentication Methods: It supports
certificates, pre-shared keys (PSKs), and Extensible Authentication Protocol
(EAP) authentication methods.
Deployment Flexibility: FlexVPN can be deployed over public
internet or private MPLS VPN networks and is designed for both site-to-site and
remote access VPNs.
Failover Redundancy: It offers different redundancy models,
including dynamic routing protocols over VPN tunnels and IKEv2-based server
clustering.
Smart
default is a pre-defined value this feature helps us to minimize the
configuration and make it easy to configure VPN. For example, when we configure IPsec VPN with IKEv2, we have to
configure the following items
- IKEv2 proposal
- IKEv2 policy
- IKEv2 profile
- IKEv2 keyring
- IPsec transform-set
- IPsec profile
These items
we have to configure for IPsec VPN with IKEv2. But with smart default, we use
pre-defined values and we have to configure only two items:
- IKEv2 profile
- IKEv2 policy
We do not have to configure the proposal, policy, transform-set, and IPsec profile.
Let’s see
the configuration for a better understanding:
Topology: In this topology, we have a head office router-1 and branch sites a,b,c,d, and e routers. head office router is a hub router and the rest of the routers are spokes and router 2 acts as an internet. our task is to configure the IPsec VPN tunnel and all the data will be encrypted.
- configure the topology as per the diagram
- configure the IP addresses as per the topology
- configure a default route on routers 1,3,4,5,6, and 7
- configure static routes on the internet router
- configure crypto keyring
- configure crypto IPsec profile
- configure virtual template on router 1 (head office)
- configure tunnel on spokes routers
- configure EIGRP and advertise LAN and Loopback interfaces on hub and spokes routers
- verify the configuration with show commands
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.30.1 YES NVRAM up up
Serial3/1 192.168.23.1 YES NVRAM up up
Branch-C#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.50.1 YES NVRAM up up
Serial3/3 192.168.25.1 YES NVRAM up up
Loopback0 192.168.155.1 YES NVRAM up up
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.60.1 YES NVRAM up up
Serial3/4 192.168.26.1 YES NVRAM up up
Loopback0 192.168.166.1 YES NVRAM up up
Branch-E#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.70.1 YES NVRAM up up
Serial3/5 192.168.27.1 YES NVRAM up up
Loopback0 192.168.177.1 YES NVRAM up up
Gateway of last resort is not set
S 192.168.10.0/24 is directly connected, Serial3/0
S 192.168.30.0/24 is directly connected, Serial3/1
S 192.168.40.0/24 is directly connected, Serial3/2
S 192.168.50.0/24 is directly connected, Serial3/3
S 192.168.60.0/24 is directly connected, Serial3/4
S 192.168.70.0/24 is directly connected, Serial3/5
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial3/3
Branch-D#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial3/4
Head-office(config)#crypto ikev2 keyring IKEV2-KEYRING
Head-office(config-ikev2-keyring)#Peer Branch-A
Head-office(config-ikev2-keyring-peer)#address 192.168.23.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local
INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote
INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-B
Head-office(config-ikev2-keyring-peer)#address 192.168.24.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local
INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote
INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-C
Head-office(config-ikev2-keyring-peer)#address 192.168.25.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local
INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote
INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-D
Head-office(config-ikev2-keyring-peer)#address 192.168.26.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local
INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote
INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-E
Head-office(config-ikev2-keyring-peer)#address 192.168.27.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local
INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote
INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#exit
Head-office(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
1. A local and a
remote authentication method.
2. A match identity
or a match certificate statement.
Head-office(config-ikev2-profile)#match identity remote address 192.168.23.1
255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.24.1
255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.25.1
255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.26.1
255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.27.1
255.255.255.0Head-office(config-ikev2-profile)#authentication remote
pre-share
Head-office(config-ikev2-profile)#authentication local
pre-share
Head-office(config-ikev2-profile)#keyring local
IKEV2-KEYRING
Head-office(config-ikev2-profile)#virtual-template 1
Head-office(config-ikev2-profile)#exit
Head-office(config)#exit
Head-office(config)#crypto ipsec profile IPSEC-PROFILE
Head-office(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Head-office(ipsec-profile)#exit
Head-office#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
Ref Count: 13
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.23.1 255.255.255.0
address 192.168.24.1 255.255.255.0
address 192.168.25.1 255.255.255.0
address 192.168.26.1 255.255.255.0
address 192.168.27.1 255.255.255.0
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: 1
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
Head-office#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Branch-A(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-A(config-ikev2-keyring)#Peer Head-office
Branch-A(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-A(config-ikev2-keyring-peer)#exit
Branch-A(config-ikev2-keyring)#exit
Branch-A(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
Branch-A(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255Branch-A(config-ikev2-profile)#authentication remote pre-share
Branch-A(config-ikev2-profile)#authentication local pre-share
Branch-A(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-A(config-ikev2-profile)#exit
Branch-A(config)#crypto ipsec profile IPSEC-PROFILE
Branch-A(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-A(ipsec-profile)#exit
Branch-A#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
Ref Count: 4
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.12.1 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
Branch-A#
Branch-A#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Branch-B(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-B(config-ikev2-keyring)#Peer Head-office
Branch-B(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-B(config-ikev2-keyring-peer)#exit
Branch-B(config-ikev2-keyring)#exit
Branch-B(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
Branch-B(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255Branch-B(config-ikev2-profile)#authentication remote pre-share
Branch-B(config-ikev2-profile)#authentication local pre-share
Branch-B(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-B(config-ikev2-profile)#exit
Branch-B(config)#crypto ipsec profile IPSEC-PROFILE
Branch-B(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-B(ipsec-profile)#exit
Branch-B#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE Ref Count: 4 Match criteria: Fvrf: global Local address/interface: none Identities: address 192.168.12.1 255.255.255.255 Certificate maps: none Local identity: none Remote identity: none Local authentication method: pre-share Remote authentication method(s): pre-share EAP options: none Keyring: IKEV2-KEYRING Trustpoint(s): none Lifetime: 86400 seconds DPD: disabled NAT-keepalive: disabled Ivrf: none Virtual-template: none AAA EAP authentication mlist: none AAA Accounting: none AAA group authorization: none AAA user authorization: noneBranch-B#show crypto ipsec profileIPSEC profile IPSEC-PROFILE IKEV2 profile IKEV2-PROFILE Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ default: { esp-aes esp-sha-hmac } , }
IPSEC profile default Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ default: { esp-aes esp-sha-hmac } , }
Branch-C(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-C(config-ikev2-keyring)#Peer Head-office
Branch-C(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-C(config-ikev2-keyring-peer)#exit
Branch-C(config-ikev2-keyring)#exit
Branch-C(config)#crypto ikev2 profile IKEV2-PROFILE
Branch-C(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-C(config-ikev2-profile)#authentication remote pre-share
Branch-C(config-ikev2-profile)#authentication local pre-share
Branch-C(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-C(config-ikev2-profile)#exit
Branch-C(config)#crypto ipsec profile IPSEC-PROFILE
Branch-C(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-C(ipsec-profile)#exit
Branch-C#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE Ref Count: 4 Match criteria: Fvrf: global Local address/interface: none Identities: address 192.168.12.1 255.255.255.255 Certificate maps: none Local identity: none Remote identity: none Local authentication method: pre-share Remote authentication method(s): pre-share EAP options: none Keyring: IKEV2-KEYRING Trustpoint(s): none Lifetime: 86400 seconds DPD: disabled NAT-keepalive: disabled Ivrf: none Virtual-template: none AAA EAP authentication mlist: none AAA Accounting: none AAA group authorization: none AAA user authorization: none
Branch-C#show crypto ipsec profileIPSEC profile IPSEC-PROFILE IKEV2 profile IKEV2-PROFILE Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ default: { esp-aes esp-sha-hmac } , }
IPSEC profile default Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ default: { esp-aes esp-sha-hmac } , }
Branch-D(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-D(config-ikev2-keyring)#Peer Head-office
Branch-D(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-D(config-ikev2-keyring-peer)#exit
Branch-D(config-ikev2-keyring)#exit
Branch-D(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
Branch-D(config-ikev2-profile)#match identity remote address 192.168.12.1 Branch-D(config-ikev2-profile)#authentication remote pre-share
Branch-D(config-ikev2-profile)#authentication local pre-share
Branch-D(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-D(config-ikev2-profile)#exit
Branch-D(config)#crypto ipsec profile IPSEC-PROFILE
Branch-D(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-D(ipsec-profile)#exit
Branch-D#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE Ref Count: 4 Match criteria: Fvrf: global Local address/interface: none Identities: address 192.168.12.1 255.255.255.255 Certificate maps: none Local identity: none Remote identity: none Local authentication method: pre-share Remote authentication method(s): pre-share EAP options: none Keyring: IKEV2-KEYRING Trustpoint(s): none Lifetime: 86400 seconds DPD: disabled NAT-keepalive: disabled Ivrf: none Virtual-template: none AAA EAP authentication mlist: none AAA Accounting: none AAA group authorization: none AAA user authorization: noneBranch-D#show crypto ipsec profileIPSEC profile IPSEC-PROFILE IKEV2 profile IKEV2-PROFILE Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ default: { esp-aes esp-sha-hmac } , }
IPSEC profile default Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ default: { esp-aes esp-sha-hmac } , }
Branch-E(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-E(config-ikev2-keyring)#Peer Head-office
Branch-E(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-E(config-ikev2-keyring-peer)#exit
Branch-E(config-ikev2-keyring)#exit
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
Branch-E(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255Branch-E(config-ikev2-profile)#authentication remote pre-share
Branch-E(config-ikev2-profile)#authentication local pre-share
Branch-E(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-E(config-ikev2-profile)#exit
Branch-E(config)#crypto ipsec profile IPSEC-PROFILE
Branch-E(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-E(ipsec-profile)#exit
Branch-E#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE Ref Count: 4 Match criteria: Fvrf: global Local address/interface: none Identities: address 192.168.12.1 255.255.255.255 Certificate maps: none Local identity: none Remote identity: none Local authentication method: pre-share Remote authentication method(s): pre-share EAP options: none Keyring: IKEV2-KEYRING Trustpoint(s): none Lifetime: 86400 seconds DPD: disabled NAT-keepalive: disabled Ivrf: none Virtual-template: none AAA EAP authentication mlist: none AAA Accounting: none AAA group authorization: none AAA user authorization: noneBranch-E#show crypto ipsec profileIPSEC profile IPSEC-PROFILE IKEV2 profile IKEV2-PROFILE Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ default: { esp-aes esp-sha-hmac } , }
IPSEC profile default Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ default: { esp-aes esp-sha-hmac } , }
Head-office(config)#interface virtual-template 1 type tunnel
Head-office(config-if)#tunnel source 192.168.12.1
Head-office(config-if)#tunnel destination dynamic
Head-office(config-if)#ip unnumbered loopback 0
Head-office(config-if)#tunnel protection ipsec profile
IPSEC-PROFILE
Head-office(config-if)#exit
Head-office(config)#exit
Head-office(config)#router eigrp 100
Head-office(config-router)#network 192.168.10.0
Head-office(config-router)#network 192.168.111.0
Head-office(config-router)#no auto-summary
Head-office(config-router)#exit
*Apr 10 14:57:22.103: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Virtual-Access1, changed state to up
*Apr 10 14:57:31.867: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100:
Neighbor 192.168.133.1 (Virtual-Access1) is up: new adjacency
*Apr 10 14:58:56.463: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Virtual-Access2, changed state to up
*Apr 10 14:59:36.675: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100:
Neighbor 192.168.144.1 (Virtual-Access2) is up: new adjacency
*Apr 10 15:02:28.595: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Virtual-Access3, changed state to up*Apr 10 15:05:55.379: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.155.1 (Virtual-Access5) is up: new adjacency*Apr 10 15:05:54.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to up
*Apr 10 15:02:31.851: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100:
Neighbor 192.168.166.1 (Virtual-Access3) is up: new adjacency
*Apr 10 15:03:40.187: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Virtual-Access4, changed state to up
*Apr 10 15:03:43.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100:
Neighbor 192.168.177.1 (Virtual-Access4) is up: new adjacency
Branch-A(config)#interface tunnel 0
Branch-A(config-if)#tunnel source 192.168.23.1
Branch-A(config-if)#tunnel destination 192.168.12.1
Branch-A(config-if)#ip unnumbered loopback 0
Branch-A(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-A(config-if)#exit
Branch-A(config)#router eigrp 100
Branch-A(config-router)#network 192.168.30.0
Branch-A(config-router)#network 192.168.133.0
Branch-A(config-router)#no auto-summary
Branch-A(config-router)#exit
*Apr 10 14:57:20.287: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 14:57:20.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 14:57:31.571: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency
Branch-B(config)#interface tunnel 0
Branch-B(config-if)#tunnel source 192.168.24.1
Branch-B(config-if)#tunnel destination 192.168.12.1
Branch-B(config-if)#ip unnumbered loopback 0
Branch-B(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-B(config-if)#exit
Branch-B(config)#router eigrp 100
Branch-B(config-router)#network 192.168.40.1
Branch-B(config-router)#network 192.168.144.1
Branch-B(config-router)#no auto-summary
Branch-B(config-router)#exit
*Apr 10 14:58:55.003: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 14:58:55.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 14:59:36.727: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency
Branch-C(config)#interface tunnel 0
Branch-C(config-if)#tunnel source 192.168.25.1
Branch-C(config-if)#tunnel destination 192.168.12.1
Branch-C(config-if)#ip unnumbered loopback 0
Branch-C(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-C(config-if)#exit
Branch-C(config)#router eigrp 100
Branch-C(config-router)#network 192.168.50.1
Branch-C(config-router)#network 192.168.155.1
Branch-C(config-router)#no auto-summary
Branch-C(config-router)#exit
*Apr 10 15:05:55.467: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency
Branch-D(config)#interface tunnel 0
Branch-D(config-if)#tunnel source 192.168.26.1
Branch-D(config-if)#tunnel destination 192.168.12.1
Branch-D(config-if)#ip unnumbered loopback 0
Branch-D(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-D(config-if)#exit
Branch-D(config)#router eigrp 100
Branch-D(config-router)#network 192.168.60.1
Branch-D(config-router)#network 192.168.166.1
Branch-D(config-router)#no auto-summary
Branch-D(config-router)#exit
*Apr 10 15:02:26.987: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 15:02:27.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 15:02:31.799: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency
Branch-E(config)#interface tunnel 0
Branch-E(config-if)#tunnel source 192.168.27.1
Branch-E(config-if)#tunnel destination 192.168.12.1
Branch-E(config-if)#ip unnumbered loopback 0
Branch-E(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-E(config-if)#exit
Branch-E(config)#router eigrp 100
Branch-E(config-router)#network 192.168.70.1
Branch-E(config-router)#network 192.168.177.1
Branch-E(config-router)#no auto-summary
Branch-E(config-router)#exit
*Apr 10 15:03:38.223: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 15:03:38.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Head-office#traceroute 192.168.70.1
Type escape sequence to abort.
Tracing the route to 192.168.70.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.177.1 120
msec 68 msec 68 msec
Head-office#traceroute 192.168.60.1
Type escape sequence to abort.
Tracing the route to 192.168.60.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.166.1 64
msec 72 msec 64 msec
Head-office#traceroute 192.168.40.1
Type escape sequence to abort.
Tracing the route to 192.168.40.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.144.1 56
msec 68 msec 56 msec
Head-office#traceroute 192.168.30.1
Type escape sequence to abort.
Tracing the route to 192.168.30.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.133.1 80
msec 64 msec 56 msec
Head-office(config-ikev2-keyring)#Peer Branch-A
Head-office(config-ikev2-keyring-peer)#address 192.168.23.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-B
Head-office(config-ikev2-keyring-peer)#address 192.168.24.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-C
Head-office(config-ikev2-keyring-peer)#address 192.168.25.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-D
Head-office(config-ikev2-keyring-peer)#address 192.168.26.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-E
Head-office(config-ikev2-keyring-peer)#address 192.168.27.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#exit
Head-office(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
Head-office(config-ikev2-profile)#match identity remote address 192.168.23.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.24.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.25.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.26.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.27.1 255.255.255.0
Head-office(config-ikev2-profile)#authentication local pre-share
Head-office(config-ikev2-profile)#keyring local IKEV2-KEYRING
Head-office(config-ikev2-profile)#virtual-template 1
Head-office(config-ikev2-profile)#exit
Head-office(config)#exit
Head-office(config)#crypto ipsec profile IPSEC-PROFILE
Head-office(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Head-office(ipsec-profile)#exit
Head-office#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
Ref Count: 13
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.23.1 255.255.255.0
address 192.168.24.1 255.255.255.0
address 192.168.25.1 255.255.255.0
address 192.168.26.1 255.255.255.0
address 192.168.27.1 255.255.255.0
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: 1
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
Head-office#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Branch-A(config-ikev2-keyring)#Peer Head-office
Branch-A(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-A(config-ikev2-keyring-peer)#exit
Branch-A(config-ikev2-keyring)#exit
Branch-A(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
Branch-A(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-A(config-ikev2-profile)#authentication local pre-share
Branch-A(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-A(config-ikev2-profile)#exit
Branch-A(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-A(ipsec-profile)#exit
Branch-A#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
Ref Count: 4
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.12.1 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
Branch-A#
Branch-A#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Branch-B(config-ikev2-keyring)#Peer Head-office
Branch-B(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-B(config-ikev2-keyring-peer)#exit
Branch-B(config-ikev2-keyring)#exit
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
Branch-B(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-B(config-ikev2-profile)#authentication local pre-share
Branch-B(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-B(config-ikev2-profile)#exit
Branch-B(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-B(ipsec-profile)#exit
Branch-C(config-ikev2-keyring)#Peer Head-office
Branch-C(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-C(config-ikev2-keyring-peer)#exit
Branch-C(config-ikev2-keyring)#exit
Branch-C(config)#crypto ikev2 profile IKEV2-PROFILE
Branch-C(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-C(config-ikev2-profile)#authentication remote pre-share
Branch-C(config-ikev2-profile)#authentication local pre-share
Branch-C(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-C(config-ikev2-profile)#exit
Branch-C(config)#crypto ipsec profile IPSEC-PROFILE
Branch-C(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-C(ipsec-profile)#exit
Branch-D(config-ikev2-keyring)#Peer Head-office
Branch-D(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-D(config-ikev2-keyring-peer)#exit
Branch-D(config-ikev2-keyring)#exit
Branch-D(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
Branch-D(config-ikev2-profile)#match identity remote address 192.168.12.1
Branch-D(config-ikev2-profile)#authentication local pre-share
Branch-D(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-D(config-ikev2-profile)#exit
Branch-D(config)#crypto ipsec profile IPSEC-PROFILE
Branch-D(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-D(ipsec-profile)#exit
Branch-E(config-ikev2-keyring)#Peer Head-office
Branch-E(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-E(config-ikev2-keyring-peer)#exit
Branch-E(config-ikev2-keyring)#exit
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate statement.
Branch-E(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-E(config-ikev2-profile)#authentication local pre-share
Branch-E(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-E(config-ikev2-profile)#exit
Branch-E(config)#crypto ipsec profile IPSEC-PROFILE
Branch-E(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-E(ipsec-profile)#exit
Head-office(config)#interface virtual-template 1 type tunnel
Head-office(config-if)#tunnel source 192.168.12.1
Head-office(config-if)#tunnel destination dynamic
Head-office(config-if)#ip unnumbered loopback 0
Head-office(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Head-office(config-if)#exit
Head-office(config)#exit
Head-office(config-router)#network 192.168.10.0
Head-office(config-router)#network 192.168.111.0
Head-office(config-router)#no auto-summary
Head-office(config-router)#exit
*Apr 10 14:57:22.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Apr 10 14:57:31.867: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.133.1 (Virtual-Access1) is up: new adjacency
*Apr 10 14:58:56.463: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Apr 10 14:59:36.675: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.144.1 (Virtual-Access2) is up: new adjacency
*Apr 10 15:02:28.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Apr 10 15:02:31.851: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.166.1 (Virtual-Access3) is up: new adjacency
*Apr 10 15:03:40.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
*Apr 10 15:03:43.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.177.1 (Virtual-Access4) is up: new adjacency
Branch-A(config)#interface tunnel 0
Branch-A(config-if)#tunnel source 192.168.23.1
Branch-A(config-if)#tunnel destination 192.168.12.1
Branch-A(config-if)#ip unnumbered loopback 0
Branch-A(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-A(config-if)#exit
Branch-A(config-router)#network 192.168.30.0
Branch-A(config-router)#network 192.168.133.0
Branch-A(config-router)#no auto-summary
Branch-A(config-router)#exit
*Apr 10 14:57:20.287: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 14:57:20.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 14:57:31.571: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency
Branch-B(config)#interface tunnel 0
Branch-B(config-if)#tunnel source 192.168.24.1
Branch-B(config-if)#tunnel destination 192.168.12.1
Branch-B(config-if)#ip unnumbered loopback 0
Branch-B(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-B(config-if)#exit
Branch-B(config-router)#network 192.168.40.1
Branch-B(config-router)#network 192.168.144.1
Branch-B(config-router)#no auto-summary
Branch-B(config-router)#exit
*Apr 10 14:58:55.003: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 14:58:55.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 14:59:36.727: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency
Branch-C(config)#interface tunnel 0
Branch-C(config-if)#tunnel source 192.168.25.1
Branch-C(config-if)#tunnel destination 192.168.12.1
Branch-C(config-if)#ip unnumbered loopback 0
Branch-C(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-C(config-if)#exit
Branch-C(config)#router eigrp 100
Branch-C(config-router)#network 192.168.50.1
Branch-C(config-router)#network 192.168.155.1
Branch-C(config-router)#no auto-summary
Branch-C(config-router)#exit
*Apr 10 15:05:55.467: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency
Branch-D(config)#interface tunnel 0
Branch-D(config-if)#tunnel source 192.168.26.1
Branch-D(config-if)#tunnel destination 192.168.12.1
Branch-D(config-if)#ip unnumbered loopback 0
Branch-D(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-D(config-if)#exit
Branch-D(config)#router eigrp 100
Branch-D(config-router)#network 192.168.60.1
Branch-D(config-router)#network 192.168.166.1
Branch-D(config-router)#no auto-summary
Branch-D(config-router)#exit
*Apr 10 15:02:26.987: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 15:02:27.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 15:02:31.799: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency
Branch-E(config)#interface tunnel 0
Branch-E(config-if)#tunnel source 192.168.27.1
Branch-E(config-if)#tunnel destination 192.168.12.1
Branch-E(config-if)#ip unnumbered loopback 0
Branch-E(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-E(config-if)#exit
Branch-E(config)#router eigrp 100
Branch-E(config-router)#network 192.168.70.1
Branch-E(config-router)#network 192.168.177.1
Branch-E(config-router)#no auto-summary
Branch-E(config-router)#exit
*Apr 10 15:03:38.223: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 15:03:38.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Head-office#traceroute 192.168.70.1
Type escape sequence to abort.
Tracing the route to 192.168.70.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.177.1 120 msec 68 msec 68 msec
Head-office#traceroute 192.168.60.1
Type escape sequence to abort.
Tracing the route to 192.168.60.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.166.1 64 msec 72 msec 64 msec
Type escape sequence to abort.
Tracing the route to 192.168.40.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.144.1 56 msec 68 msec 56 msec
Type escape sequence to abort.
Tracing the route to 192.168.30.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.133.1 80 msec 64 msec 56 msec
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 192.168.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.23.1/255.255.255.255/47/0)
current_peer 192.168.23.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 981, #pkts encrypt: 981, #pkts digest: 981
#pkts decaps: 979, #pkts decrypt: 979, #pkts verify: 979
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
current outbound spi: 0xC7D9A838(3352930360)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x91CBD49D(2446054557)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 12, flow_id: 12, sibling_flags 80000000, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4224607/2559)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC7D9A838(3352930360)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 11, flow_id: 11, sibling_flags 80000000, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4224608/2559)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 192.168.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.24.1/255.255.255.255/47/0)
current_peer 192.168.24.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 957, #pkts encrypt: 957, #pkts digest: 957
#pkts decaps: 953, #pkts decrypt: 953, #pkts verify: 953
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.24.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
current outbound spi: 0x2D7CE225(763159077)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x90E4AB46(2430905158)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 14, flow_id: 14, sibling_flags 80000000, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4328889/2658)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2D7CE225(763159077)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 13, flow_id: 13, sibling_flags 80000000, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4328889/2658)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
Crypto map tag: Virtual-Access3-head-0, local addr 192.168.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.26.1/255.255.255.255/47/0)
current_peer 192.168.26.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 910, #pkts encrypt: 910, #pkts digest: 910
#pkts decaps: 912, #pkts decrypt: 912, #pkts verify: 912
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.26.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
current outbound spi: 0xC59185C3(3314648515)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6584E4BE(1703208126)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 15, flow_id: 15, sibling_flags 80000000, crypto map: Virtual-Access3-head-0
sa timing: remaining key lifetime (k/sec): (4330964/2932)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC59185C3(3314648515)
--------------------------------------------------------------------------------
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego: 40
Total IKEv2 SA Count: 5 active: 5 negotiating: 0
Incoming IKEv2 Requests: 5 accepted: 5 rejected: 0
Outgoing IKEv2 Requests: 0 accepted: 0 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
Interface IP-Address OK? Method Status Protocol
Loopback0 192.168.111.1 YES NVRAM up up
Virtual-Access1 192.168.111.1 YES unset up up
Virtual-Access2 192.168.111.1 YES unset up up
Virtual-Access3 192.168.111.1 YES unset up up
Virtual-Access4 192.168.111.1 YES unset up up
Virtual-Access5 192.168.111.1 YES unset up up
Virtual-Template1 192.168.111.1 YES unset up down
Head-office#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
4 192.168.12.1/500 192.168.27.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4043 sec
Tunnel-id Local Remote fvrf/ivrf Status
2 192.168.12.1/500 192.168.24.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4327 sec
Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.12.1/500 192.168.23.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4421 sec
Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.12.1/500 192.168.26.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4115 sec
Tunnel-id Local Remote fvrf/ivrf Status
5 192.168.12.1/500 192.168.25.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3908 sec
IPv6 Crypto IKEv2 SA