Policy-based IPsec VPN configuration using IKEv2 


🔐 Phase 1 – IKE (Internet Key Exchange)

Purpose:

Establish a secure and authenticated channel between VPN peers for negotiating encryption settings.

Key Actions:

  • Identify peers (IP or hostname)
  • Authenticate using pre-shared key or certificates
  • Negotiate:
    • 🔒 Encryption (e.g., AES, 3DES)
    • 🔐 Integrity (e.g., SHA256)
    • 🔁 DH Group (e.g., Group 14)
    • ⏳ Lifetime (e.g., 86400 sec)
    • 🔧 IKE Version (v1 or v2)

Result:

Secure IKE SA (Security Association) is established for Phase 2 negotiations.


🛡️ Phase 2 – IPsec Tunnel Negotiation

Purpose:

Define how user traffic is encrypted and securely transmitted.

Key Actions:

  • Negotiate IPsec parameters:
    • 🔒 Data encryption (e.g., AES-256)
    • 🔐 Data integrity (e.g., SHA256)
    • 🔁 Optional PFS (Perfect Forward Secrecy)
    • 🎯 Traffic selectors (LAN subnets)
  • Match Phase 2 settings on both ends

Result:

Secure IPsec SAs are built to encrypt/decrypt traffic between networks.


🧠 IPsec Tunnel Phases – Summary Diagram

PhaseFunctionKey Elements
Phase 1 🔐Secure negotiation setupIKE SA, DH Group, Encryption, Auth, Lifetime
Phase 2 🛡️Encrypt actual trafficIPsec SA, AES/SHA, Traffic Selectors, Optional PFS
(Optional) Phase 3 🔄Dynamic routing setupEIGRP, OSPF, BGP over Tunnel Interface

🔄 Optional Phase 3 – Dynamic Routing

Although not officially part of IPsec, a third “phase” is often implemented using routing protocols:

  • 🧭 EIGRP, OSPF, or BGP
  • 🧠 Shared LAN routes over tunnel
  • 🔄 Auto-failover and simplified scaling

This is typically configured over Tunnel interfaces in route-based VPNs.


Let me know if you’d like a downloadable infographic version or a PNG image to include visually!

Here is the complete, copy-paste-ready configuration for both Cisco routers — including:

✅ IKEv2-based IPsec tunnel

✅ Route-based VPN using Tunnel0

✅ EIGRP AS 100 over the tunnel

✅ LAN-to-LAN routing via EIGRP


🔧 

Router R1 Full Configuration

hostname R1
!
! IKEv2 Setup
crypto ikev2 proposal IKEV2-PROP
 encryption aes-cbc-256
 integrity sha256
 group 14
!
crypto ikev2 policy IKEV2-POL
 proposal IKEV2-PROP
!
crypto ikev2 keyring IKEV2-KEY
 peer R2
  address 198.51.100.1
  pre-shared-key cisco123
!
crypto ikev2 profile IKEV2-PROF
 match identity remote address 198.51.100.1 255.255.255.255
 identity local address 203.0.113.1
 authentication local pre-share
 authentication remote pre-share
 keyring local IKEV2-KEY
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROF
 set transform-set TS
 set ikev2-profile IKEV2-PROF
!
! Tunnel interface
interface Tunnel0
 ip address 10.0.0.1 255.255.255.252
 tunnel source 203.0.113.1
 tunnel destination 198.51.100.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROF
 ip bandwidth-percent eigrp 100 50
!
! LAN interface (example)
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
!
! WAN interface
interface GigabitEthernet0/0
 ip address 203.0.113.1 255.255.255.0
!
! EIGRP routing
router eigrp 100
 network 192.168.1.0 0.0.0.255
 network 10.0.0.0 0.0.0.3
 no auto-summary

🔧 

Router R2 Full Configuration

hostname R2
!
! IKEv2 Setup
crypto ikev2 proposal IKEV2-PROP
 encryption aes-cbc-256
 integrity sha256
 group 14
!
crypto ikev2 policy IKEV2-POL
 proposal IKEV2-PROP
!
crypto ikev2 keyring IKEV2-KEY
 peer R1
  address 203.0.113.1
  pre-shared-key cisco123
!
crypto ikev2 profile IKEV2-PROF
 match identity remote address 203.0.113.1 255.255.255.255
 identity local address 198.51.100.1
 authentication local pre-share
 authentication remote pre-share
 keyring local IKEV2-KEY
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROF
 set transform-set TS
 set ikev2-profile IKEV2-PROF
!
! Tunnel interface
interface Tunnel0
 ip address 10.0.0.2 255.255.255.252
 tunnel source 198.51.100.1
 tunnel destination 203.0.113.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROF
 ip bandwidth-percent eigrp 100 50
!
! LAN interface (example)
interface GigabitEthernet0/1
 ip address 192.168.2.1 255.255.255.0
!
! WAN interface
interface GigabitEthernet0/0
 ip address 198.51.100.1 255.255.255.0
!
! EIGRP routing
router eigrp 100
 network 192.168.2.0 0.0.0.255
 network 10.0.0.0 0.0.0.3
 no auto-summary

🧪 Test & Verify

On both routers:

show crypto ikev2 sa         ! IKEv2 security associations
show crypto ipsec sa         ! IPsec tunnel status
show ip eigrp neighbors      ! EIGRP adjacency
show ip route eigrp          ! Learned routes
ping 192.168.2.1 source 192.168.1.1

Advanced TutorialsCiscoHow-To Guidesipsec

Bill

Bill is a passionate network engineer who loves to share his knowledge and experience with others. He writes engaging blog posts for itacute.com, where he covers topics such as home and small business networking, electronic gadgets, and tips and tricks to optimize performance and productivity. Bill enjoys learning new things and keeping up with the latest trends and innovations in the field of technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.