I would like to share with you very useful commands which can helpful
you during your troubleshooting. Instead of checking (sometimes very
long) configuration, you can check/compare the same block of
configuration between your peers.
1) ikev2 proposal
From above output you can learn about all available ikev2 proposals. As you see there is one proposal default. You can use it in your config but you can also disable it:
you have to first disable the default policy.
to enable it again, issue following command:
2) ikev2 policy
As with the proposal, you can enable/disable it:
3) ikev2 profile
4) transform-set
To enable/disable the default transform-set issue the command:
5) IPsec profile
1) ikev2 proposal
r5#sh crypto ikev2 proposal
IKEv2 proposal: IKEV2-PROPOSAL
Encryption : AES-CBC-128
Integrity : SHA512
PRF : SHA512
DH Group : DH_GROUP_1536_MODP/Group 5
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
r5#
From above output you can learn about all available ikev2 proposals. As you see there is one proposal default. You can use it in your config but you can also disable it:
r5(config)#no crypto ikev2 proposal default
you have to first disable the default policy.
r5#sh crypto ikev2 proposal
IKEv2 proposal: IKEV2-PROPOSAL
Encryption : AES-CBC-128
Integrity : SHA512
PRF : SHA512
DH Group : DH_GROUP_1536_MODP/Group 5
IKEv2 proposal: default Disabled
r5#
to enable it again, issue following command:
r5(config)#default crypto ikev2 proposal
2) ikev2 policy
r5#sh crypto ikev2 policy
IKEv2 policy : IKEV2-POLICY
Match fvrf : global
Match address local : any
Proposal : IKEV2-PROPOSAL
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default
r5#
As with the proposal, you can enable/disable it:
r5(config)#no crypto ikev2 policy default
r5(config)#default crypto ikev2 policy
3) ikev2 profile
r5#sh crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
Ref Count: 3
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 0.0.0.0
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: KEYRING123
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: interval 10, retry-interval 2, periodic
NAT-keepalive: disabled
Ivrf: none
Virtual-template: 1
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
r5#
4) transform-set
r5#sh crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set TS: { esp-256-aes esp-sha512-hmac }
will negotiate = { Tunnel, },
r5#
To enable/disable the default transform-set issue the command:
r5(config)#no crypto ipsec transform-set default
r5(config)#default crypto ipsec transform-set
5) IPsec profile
r5#sh crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TS: { esp-256-aes esp-sha512-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
r5#
r5(config)#default crypto ipsec profile
r5(config)#no crypto ipsec profile default
Comments
Post a Comment