No specific order is required for configuring the IKE map that is applied to the default SA. Any required parameter or algorithm not properly configured will display as an incomplete configuration, but will not prevent you from configuring other IKE map parameters. A suggested order of IPsec configuration is:
The following configuration example will follow the IPsec configuration order suggested above.
As indicated in IKE Proposal, there are two IKE modes to which an IKE proposal is assigned:
Each IKE mode can be assigned a unique IKE proposal or the same proposal may be assigned to both modes, depending upon your configuration requirements. For this example we will configure a single IKE proposal named winRadiusPro, to be used in both IKE modes, with the following values:
System(su)->configure System(su-config)->crypto ike-proposal winRadiusPro System(su-crypto-proposal)->dh_group 14 System(su-crypto-proposal)->encryption aes128cbc System(su-crypto-proposal)->hash sha1 System(su-crypto-proposal)->integrity sha1 System(su-crypto-proposal)->exit System(su-config)->
The IKE policy for this example is named winRadiusPol. The initial contact and passive mode features will not be enabled for this configuration. The winRadiusPol IKE policy is configured with the following values:
System(su-config)->crypto ike-policy winRadiusPol System(su-crypto-policy)->authentication psk testkey System(su-crypto-policy)->lifetime time 360 System(su-crypto-policy)->peer 1.1.191.22 System(su-crypto-policy)->proposal winRadiusPro System(su-crypto-policy)->version 1 System(su-crypto-policy)->exit System(su-config)->
The IKE map for this example is named winRadius. IKE map parameters are configured with the following values:
System(su-config)->crypto ike-map winRadius System(su-crypto-map)->proposal winRadiusPro System(su-crypto-map)->policy winRadiusPol System(su-crypto-map)->src 192.1.1.0/24 System(su-crypto-map)->src-port 500 System(su-crypto-map)->dst 192.2.2.0/24 System(su-crypto-map)->dst-port 500 System(su-crypto-map)->encapsulation transport System(su-crypto-map)->lifetime time 5 System(su-crypto-map)->lifetime bandwidth 100000 System(su-crypto-map)->protocol udp System(su-crypto-map)->request System(su-crypto-map)->exit System(su-config)->
For this release an IPsec default instance is configurable. You assign the IKE map winRadius to the IPsec default instance within IPsec default instance configuration mode. You enable IPsec on the router in global VRF router configuration mode. For this IPsec configuration example we will also enable IPsec traps.
System(su-config)->crypto ipsec default System(su-crypto-ipsec-defaul)->ike map winRadius System(su-crypto-ipsec-defaul)->exit System(su-config)->crypto ipsec trap-enable System(su-config)->crypto ipsec enable System(su-config)->