IPsec Client- Sample Configuration

Below is a sample configuration where we have setup one of our WTI boxes that links to a Cisco ISR4331/K9 in the lab with a simple IKEv2 implementation. Our IPsec implementation comes from a Linux feature set (the Linux strongSwan fork to be exact).


The WTI device IPsec default settings are IKEv2 and both ike and esp settings are aes128-sha256-modp4096 (group 16), these defaults can be changed per a connection via the "Tunnel Options" menu option.


IKEv2 Site to Site (Cisco ISR4331/K9 to WTI Unit)


  • Phase One: The key exchange
  • Phase Two: Encrypting the tunnel
  • Applying the crypto map to the outside interface
  • Creating access list to identify the traffic flow (inside LAN to peer’s inside LAN)

Cisco Router Setup


Configuring Keyring


  1. R1>enable
  2. Password:
  3. R1# configure terminal
  4. R1(config)# crypto ikev2 keyring KR-1
  5. R1(config-ikev2-keyring)# peer SITE-2
  6. R1(config-ikev2-keyring-peer)# address 192.10.10.136 (Address of the WTI Unit)
  7. R1(config-ikev2-keyring-peer)# pre-shared-key WTI949!
  8. R1(config-ikev2-keyring-exit)# exit
  9. R1(config-ikev2-keyring)# exit
  10. R1(config)# exit

Define IKEv2 Proposal


  1. R1# configure terminal
  2. R#(config)# crypto ikev2 proposal PROP-SITE2
  3. R1(config-ikev2-proposal)# encryption aes-cbc-256
  4. R1(config-ikev2-proposal)# integrity sha256
  5. R1(config-ikev2-proposal)# group 14
  6. R1(config-ikev2-proposal)# exit
  7. R1# exit

Define IKEv2 Policies


  1. R1# configure terminal
  2. R1(config)# crypto ikev2 policy POL-SITE2
  3. R1(config)# proposal PROP-SITE2
  4. R1(config-ikev2-policy)# exit
  5. R1(config)# exit

Create Access-list to use for VPN


  1. R1# configure terminal
  2. R1(config)# ip access-list extended SITE1-SITE2-CACL
  3. R1(config-ext-nacl)# permit ip 192.10.10.0 0.0.0.255 192.168.0.0 0.0.0.255
  4. R1(config-ext-nacl)# exit

Create Transform Set (IPSEC)


  1. R1(config)# crypto ipsec transform-set SITE2-TS esp-aes esp-sha256-hmac
  2. R1(config-crypto-trans)# exit

Set IKEv2 Profile


  1. R1(config)# crypto ikev2 profile SITE2-PROFILE
  2. R1(config-ikev2-profile)# match identity remote address 192.10.10.136 255.255.255.255 (WTI)
  3. R1(config-ikev2-profile)# authentication local pre-share
  4. R1(config-ikev2-profile)# authentication remote pre-share
  5. R1(config-ikev2-profile)# keyring local KR-1
  6. R1(config-ikev2-profile)# exit
  7. R1(config)# exit

Define Crypto-Maps


  1. R1# configure terminal
  2. R1(config)# crypto map CMAP-SITE2 10 ipsec-isakmp
  3. R1(config-crypto-map)# set peer 192.10.10.136
  4. R1(config-crypto-map)# set pfs group14
  5. R1(config-crypto-map)# set security-association lifetime seconds 86400
  6. R1(config-crypto-map)# set transform-set SITE2-TS
  7. R1(config-crypto-map)# set ikev2-profile SITE2-PROFILE
  8. R1(config-crypto-map)# match address SITE1-SITE2-CACL
  9. R1(config-crypto-map)# exit
  10. R1(config)# exit

Apply the configurations to an interface


  1. R1# configure terminal
  2. R1(config)# interface GigabitEthernet0/0/0
  3. R1(config-if)# crypto map CMAP-SITE2
  4. R1(config-if)# exit
  5. R1(config-if)# exit
  6. R1(config)# wr

WTI Unit Setup


IPSEC VPN DETAILS: [CISCO_TEST_IKEv2] IPv4/IPv6


1. Enable: On


2. Tunnel Name: CISCO_TEST_IKEv2


3. Security: Pre-shared Secret (Static Key File)


4. Authentication Type: ESP


5. Left Address: %any


6. Left ID: 192.10.10.136 (WTI Unit)


7. Left Subnet : (undefined)


8. Right Address: 192.10.10.132 (Cisco Unit)


9. Right ID: 192.10.10.132


10. Right Subnet: 192.10.10.0/24


11. Pre-Shared Key: (defined)


12. Tunnel Options: (defined)


13. Associated Menu: (default)


Enter: #<CR> to change,


<ESC> to exit and save configuration ...


(Select option 12, to set these tunnel options)


IPSEC VPN CUSTOM OPTIONS DETAILS: [CISCO_TEST_IKEv2] IPv4/IPv6


1. Parameter: ike


2. Value: aes128-sha256-modp2048


IPSEC VPN CUSTOM OPTIONS DETAILS: [CISCO_TEST_IKEv2] IPv4/IPv6


1. Parameter: esp


2. Value: aes128-sha1


Diffie-Hellman MODP Group listing


Diffie-Hellman group 1 - 768 bit modulus
Diffie-Hellman group 2 - 1024 bit modulus
Diffie-Hellman group 5 - 1536 bit modulus
Diffie-Hellman group 14 - 2048 bit modulus
Diffie-Hellman group 15 - 3072-bit modulus
Diffie-Hellman group 16 - 4096-bit modulus
Diffie-Hellman group 17 - 6144-bit modulus
Diffie-Hellman group 18 - 8192-bit modulus
Diffie-Hellman group 19 - 256 bit elliptic curve
Diffie-Hellman group 20 - 384 bit elliptic curve
Diffie-Hellman group 21 - 521 bit elliptic curve
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup


Rev. 1.2 (4/4/2020)