IPsec Client- Sample Configuration

Below is a sample configuration where we have setup one of our WTI boxes that links to a Cisco ISR4331/K9 in the lab with a simple IKEv2 implementation. Our IPsec implementation comes from a Linux feature set (the Linux strongSwan fork to be exact).

The WTI device IPsec default settings are IKEv2 and both ike and esp settings are aes128-sha256-modp4096 (group 16), these defaults can be changed per a connection via the "Tunnel Options" menu option.

IKEv2 Site to Site (Cisco ISR4331/K9 to WTI Unit)

  • Phase One: The key exchange
  • Phase Two: Encrypting the tunnel
  • Applying the crypto map to the outside interface
  • Creating access list to identify the traffic flow (inside LAN to peer’s inside LAN)

Cisco Router Setup

Configuring Keyring

  1. R1>enable
  2. Password:
  3. R1# configure terminal
  4. R1(config)# crypto ikev2 keyring KR-1
  5. R1(config-ikev2-keyring)# peer SITE-2
  6. R1(config-ikev2-keyring-peer)# address (Address of the WTI Unit)
  7. R1(config-ikev2-keyring-peer)# pre-shared-key WTI949!
  8. R1(config-ikev2-keyring-exit)# exit
  9. R1(config-ikev2-keyring)# exit
  10. R1(config)# exit

Define IKEv2 Proposal

  1. R1# configure terminal
  2. R#(config)# crypto ikev2 proposal PROP-SITE2
  3. R1(config-ikev2-proposal)# encryption aes-cbc-256
  4. R1(config-ikev2-proposal)# integrity sha256
  5. R1(config-ikev2-proposal)# group 14
  6. R1(config-ikev2-proposal)# exit
  7. R1# exit

Define IKEv2 Policies

  1. R1# configure terminal
  2. R1(config)# crypto ikev2 policy POL-SITE2
  3. R1(config)# proposal PROP-SITE2
  4. R1(config-ikev2-policy)# exit
  5. R1(config)# exit

Create Access-list to use for VPN

  1. R1# configure terminal
  2. R1(config)# ip access-list extended SITE1-SITE2-CACL
  3. R1(config-ext-nacl)# permit ip
  4. R1(config-ext-nacl)# exit

Create Transform Set (IPSEC)

  1. R1(config)# crypto ipsec transform-set SITE2-TS esp-aes esp-sha256-hmac
  2. R1(config-crypto-trans)# exit

Set IKEv2 Profile

  1. R1(config)# crypto ikev2 profile SITE2-PROFILE
  2. R1(config-ikev2-profile)# match identity remote address (WTI)
  3. R1(config-ikev2-profile)# authentication local pre-share
  4. R1(config-ikev2-profile)# authentication remote pre-share
  5. R1(config-ikev2-profile)# keyring local KR-1
  6. R1(config-ikev2-profile)# exit
  7. R1(config)# exit

Define Crypto-Maps

  1. R1# configure terminal
  2. R1(config)# crypto map CMAP-SITE2 10 ipsec-isakmp
  3. R1(config-crypto-map)# set peer
  4. R1(config-crypto-map)# set pfs group14
  5. R1(config-crypto-map)# set security-association lifetime seconds 86400
  6. R1(config-crypto-map)# set transform-set SITE2-TS
  7. R1(config-crypto-map)# set ikev2-profile SITE2-PROFILE
  8. R1(config-crypto-map)# match address SITE1-SITE2-CACL
  9. R1(config-crypto-map)# exit
  10. R1(config)# exit

Apply the configurations to an interface

  1. R1# configure terminal
  2. R1(config)# interface GigabitEthernet0/0/0
  3. R1(config-if)# crypto map CMAP-SITE2
  4. R1(config-if)# exit
  5. R1(config-if)# exit
  6. R1(config)# wr

WTI Unit Setup


1. Enable: On

2. Tunnel Name: CISCO_TEST_IKEv2

3. Security: Pre-shared Secret (Static Key File)

4. Authentication Type: ESP

5. Left Address: %any

6. Left ID: (WTI Unit)

7. Left Subnet : (undefined)

8. Right Address: (Cisco Unit)

9. Right ID:

10. Right Subnet:

11. Pre-Shared Key: (defined)

12. Tunnel Options: (defined)

13. Associated Menu: (default)

Enter: #<CR> to change,

<ESC> to exit and save configuration ...

(Select option 12, to set these tunnel options)


1. Parameter: ike

2. Value: aes128-sha256-modp2048


1. Parameter: esp

2. Value: aes128-sha1

Diffie-Hellman MODP Group listing

Diffie-Hellman group 1 - 768 bit modulus
Diffie-Hellman group 2 - 1024 bit modulus
Diffie-Hellman group 5 - 1536 bit modulus
Diffie-Hellman group 14 - 2048 bit modulus
Diffie-Hellman group 15 - 3072-bit modulus
Diffie-Hellman group 16 - 4096-bit modulus
Diffie-Hellman group 17 - 6144-bit modulus
Diffie-Hellman group 18 - 8192-bit modulus
Diffie-Hellman group 19 - 256 bit elliptic curve
Diffie-Hellman group 20 - 384 bit elliptic curve
Diffie-Hellman group 21 - 521 bit elliptic curve
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup

Rev. 1.2 (4/4/2020)