Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site FlexVPN

I need to implement a site-to-site VPN connection. I currently use a crypto-map and IKEv1, I would like to upgrade to the newer IKEv2 for better performance and security. Would everyone suggest the FlexVPN option for a site-to-site connection? I have been reading this document Something I'm curious about is that in this document they do not state the encryptions to be used like in a crypto map and transform set. Is there now a standard encryption IKEv2 uses or do these still have to be configured?

I appreciate anyone's advice!

New Member

Re: Site-to-Site FlexVPN

I did some more research and it looks like IKEv2 has default encryptions configured,

encryption aes-cbc-128 3des
integrity sha md5
group 5 2

If I wanted to change these defaults would I have to use the command, "crypto ikev2 proposal" and then change the various values there? I'm surprised Cisco's document that I listed above doesn't mention this.

Cisco Employee

Site-to-Site FlexVPN

Hi Mark

You are correct, to change the IKEv2 defaults you can change the default proposal (or any proposal that you have configured).

This is detailed in the IOS config guide here;

For the IPSEC cryptographic algorithms these are defined in the transform set (just like crypto maps), but this is referenced in the IPSEC profile. The default IPSEC profile uses the default transform set. If you want to change the transform set you can, check the following example where I did;

I hope that this answers your Q if not please let me know.


CreatePlease login to create content