To configure the IPsec security, complete the following steps:
-
Use the crypto ipsec transform-set <ts-name> esp-aes esp-sha256-hmac command. However, note that only the following options are supported:
You can optionally use set pfs <dh-group-name> to enable perfect forward secrecy in IPsec profile.
-
Use the crypto ipsec profile <profile-name>, where the IKEv2 profile is set into IPsec profile.
-
Use the tunnel protection ipsec profile tunnel interface.
To view your IPsec information, use the show crypto ipsec sa detail command:
Router# show crypto ipsec sa detail
Load for five secs: 3%/0%; one minute: 8%; five minutes: 4%
Time source is NTP, 12:40:49.195 EDT Wed Feb 26 2020
interface: Tunnel101
Crypto map tag: Tunnel101-head-0, local addr 102.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (102.0.0.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (102.0.0.1/255.255.255.255/47/0)
current_peer 102.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 102.0.0.2, remote crypto endpt.: 102.0.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb TenGigabitEthernet4/1/0
current outbound spi: 0xBD3A2CBF(3174706367)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xC67787E8(3329722344)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags FFFFFFFF80000040, crypto map: Tunnel101-head-0
sa timing: remaining key lifetime (k/sec): (4242079/86293)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBD3A2CBF(3174706367)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags FFFFFFFF80000040, crypto map: Tunnel101-head-0
sa timing: remaining key lifetime (k/sec): (4242079/86293)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: