IKEv2 VPNs to AWS on Cisco IOS devices

I hadn’t worked with AWS VPNs since January and missed their announcement of supporting IKEv2.  The configuration is similar to GCP with the one exception of SA lifetime.  AWS appears to still use 8 hours (28800 seconds) as opposed to GCP’s 10 hours and the Cisco IOS default of 24 hours (86400 seconds)

Configuring an IKEv2 VPN to AWS

Create IKEv2 Proposal  and Policy, if not done already:

crypto ikev2 proposal IKEV2_PROPOSAL 
  encryption aes-cbc-256 aes-cbc-128    
  integrity sha512 sha384 sha256 sha1   
  group 16 14 2                       ! 16 = 4096, 14 = 2048, 2 = 1024 bit
crypto ikev2 policy IKEV2_POLICY 
  match fvrf any
  proposal IKEV2_PROPOSAL

Add entries to an existing keyring, or create a separate one

crypto ikev2 keyring AWS_IKEV2_KEYRING
 peer vpn-0d4fe4b8d9406518f

Create IKEv2 Profile that links to said Keyring.  If behind NAT, specify public IP:

crypto ikev2 profile AWS_IKEV2_PROFILE
 match identity remote address 
 identity local address    ! Public IP, if behind NAT
 authentication local pre-share
 authentication remote pre-share
 keyring local AWS_IKEV2_KEYRING
 lifetime 28800

The IPSec parameters are same as IKEv1, except IKEv2 profile is added:

crypto ipsec transform-set ESP_AES128_SHA esp-aes esp-sha-hmac 
 mode tunnel
crypto ipsec profile AWS_IPSEC_PROFILE
 set security-association lifetime kilobytes disable
 set transform-set ESP_AES128_SHA 
 set pfs group2
 set ikev2-profile AWS_IKEV2_PROFILE

Finally, apply IPsec profile to the VTI with the internet-facing interface as source:

interface Tunnel1
 ip address
 ip virtual-reassembly in
 ip tcp adjust-mss 1379
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination
 tunnel protection ipsec profile AWS_IPSEC_PROFILE

It was good to see them negotiate a nice strong AES-256 / SHA256 / Group16 (4096-bit) SA:

Router#show crypto ikev2 sa
Tunnel-id Local Remote fvrf/ivrf Status 
5 none/none READY 
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:16, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1053 sec

A note about Cisco IOS software versions…

I’ve tested this configuration on a 1921 ISR G2 running IOS 15.5(3)M10

It seems Cisco introduced a slew of bugs relating to IKEv2 for both IOS and IOS-XE in mid-2019:

  • CSCvh66033 – IKEv2 – Crash with segmentation fault when debugs crypto ikev2 are enabled
  • CSCve08418IPsec/IKEv2 Installation Sometimes Fails With Simultaneous Negotiations
  • CSCvd69373 – IKEv2: Unable to initiate IKE session to a specific peer due to ‘in-neg’ SA Leak
  • CSCvg15158 – DMVPN session get stuck in NHRP and UP-NO-IKE state without active IKEv2 session until rekey
So, upgrading the latest software version is highly recommended.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s