Policy-based IPsec VPN configuration using IKEv2
🔐 Phase 1 – IKE (Internet Key Exchange)
Purpose:
Establish a secure and authenticated channel between VPN peers for negotiating encryption settings.
Key Actions:
- Identify peers (IP or hostname)
- Authenticate using pre-shared key or certificates
- Negotiate:
- 🔒 Encryption (e.g., AES, 3DES)
- 🔐 Integrity (e.g., SHA256)
- 🔁 DH Group (e.g., Group 14)
- ⏳ Lifetime (e.g., 86400 sec)
- 🔧 IKE Version (v1 or v2)
Result:
Secure IKE SA (Security Association) is established for Phase 2 negotiations.
🛡️ Phase 2 – IPsec Tunnel Negotiation
Purpose:
Define how user traffic is encrypted and securely transmitted.
Key Actions:
- Negotiate IPsec parameters:
- 🔒 Data encryption (e.g., AES-256)
- 🔐 Data integrity (e.g., SHA256)
- 🔁 Optional PFS (Perfect Forward Secrecy)
- 🎯 Traffic selectors (LAN subnets)
- Match Phase 2 settings on both ends
Result:
Secure IPsec SAs are built to encrypt/decrypt traffic between networks.
🧠 IPsec Tunnel Phases – Summary Diagram
Phase | Function | Key Elements |
---|---|---|
Phase 1 🔐 | Secure negotiation setup | IKE SA, DH Group, Encryption, Auth, Lifetime |
Phase 2 🛡️ | Encrypt actual traffic | IPsec SA, AES/SHA, Traffic Selectors, Optional PFS |
(Optional) Phase 3 🔄 | Dynamic routing setup | EIGRP, OSPF, BGP over Tunnel Interface |
🔄 Optional Phase 3 – Dynamic Routing
Although not officially part of IPsec, a third “phase” is often implemented using routing protocols:
- 🧭 EIGRP, OSPF, or BGP
- 🧠 Shared LAN routes over tunnel
- 🔄 Auto-failover and simplified scaling
This is typically configured over Tunnel interfaces in route-based VPNs.
Let me know if you’d like a downloadable infographic version or a PNG image to include visually!
Here is the complete, copy-paste-ready configuration for both Cisco routers — including:
✅ IKEv2-based IPsec tunnel
✅ Route-based VPN using Tunnel0
✅ EIGRP AS 100 over the tunnel
✅ LAN-to-LAN routing via EIGRP
🔧
Router R1 Full Configuration
hostname R1
!
! IKEv2 Setup
crypto ikev2 proposal IKEV2-PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKEV2-POL
proposal IKEV2-PROP
!
crypto ikev2 keyring IKEV2-KEY
peer R2
address 198.51.100.1
pre-shared-key cisco123
!
crypto ikev2 profile IKEV2-PROF
match identity remote address 198.51.100.1 255.255.255.255
identity local address 203.0.113.1
authentication local pre-share
authentication remote pre-share
keyring local IKEV2-KEY
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROF
set transform-set TS
set ikev2-profile IKEV2-PROF
!
! Tunnel interface
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source 203.0.113.1
tunnel destination 198.51.100.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROF
ip bandwidth-percent eigrp 100 50
!
! LAN interface (example)
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
!
! WAN interface
interface GigabitEthernet0/0
ip address 203.0.113.1 255.255.255.0
!
! EIGRP routing
router eigrp 100
network 192.168.1.0 0.0.0.255
network 10.0.0.0 0.0.0.3
no auto-summary
🔧
Router R2 Full Configuration
hostname R2
!
! IKEv2 Setup
crypto ikev2 proposal IKEV2-PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKEV2-POL
proposal IKEV2-PROP
!
crypto ikev2 keyring IKEV2-KEY
peer R1
address 203.0.113.1
pre-shared-key cisco123
!
crypto ikev2 profile IKEV2-PROF
match identity remote address 203.0.113.1 255.255.255.255
identity local address 198.51.100.1
authentication local pre-share
authentication remote pre-share
keyring local IKEV2-KEY
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROF
set transform-set TS
set ikev2-profile IKEV2-PROF
!
! Tunnel interface
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source 198.51.100.1
tunnel destination 203.0.113.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROF
ip bandwidth-percent eigrp 100 50
!
! LAN interface (example)
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
!
! WAN interface
interface GigabitEthernet0/0
ip address 198.51.100.1 255.255.255.0
!
! EIGRP routing
router eigrp 100
network 192.168.2.0 0.0.0.255
network 10.0.0.0 0.0.0.3
no auto-summary
🧪 Test & Verify
On both routers:
show crypto ikev2 sa ! IKEv2 security associations
show crypto ipsec sa ! IPsec tunnel status
show ip eigrp neighbors ! EIGRP adjacency
show ip route eigrp ! Learned routes
ping 192.168.2.1 source 192.168.1.1