I need to implement a site-to-site VPN connection. I currently use a crypto-map and IKEv1, I would like to upgrade to the newer IKEv2 for better performance and security. Would everyone suggest the FlexVPN option for a site-to-site connection? I have been reading this document http://www.cisco.com/en/US/products/ps12922/products_configuration_example09186a0080bed945.shtml Something I'm curious about is that in this document they do not state the encryptions to be used like in a crypto map and transform set. Is there now a standard encryption IKEv2 uses or do these still have to be configured?
I did some more research and it looks like IKEv2 has default encryptions configured,
encryption aes-cbc-128 3des
integrity sha md5
group 5 2
If I wanted to change these defaults would I have to use the command, "crypto ikev2 proposal" and then change the various values there? I'm surprised Cisco's document that I listed above doesn't mention this.
For the IPSEC cryptographic algorithms these are defined in the transform set (just like crypto maps), but this is referenced in the IPSEC profile. The default IPSEC profile uses the default transform set. If you want to change the transform set you can, check the following example where I did;
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :