Configure IKEv2 proposal

Configure the IKEv2 proposal for the Forcepoint ONE SSE service.

Steps

  1. Configure an IKEv2 proposal with a supported encryption algorithm, integrity, and DH group: 
    crypto ikev2 proposal <proposal_name>
encryption <supported_IPsec_cipher>
integrity <supported_IPsec_cipher>
group <supported_dh_group>
  2. Configure the IKEv2 policy: 
    crypto ikev2 policy <policy name>
  3. Associate the proposal that you configured: 
    proposal <proposal_name>
  4. Configure a keyring and define IP address, pre-shared key for each tunnel:
    1. Enter an IKEv2 key ring name for the primary IPsec tunnel: 
      crypto ikev2 keyring <key ring name>
    2. Enter a peer name for the primary IPsec tunnel: 
      peer <Peer 1 Name>
    3. Enter the cloud FQDN for the primary IPsec tunnel: 
      hostname <primary_Cloud_FQDN>

      If you want to use the IP address of the primary IPsec tunnel instead of cloud FQDN, then use the corresponding line:

      address <primary_destination_address>
    4. Enter the PSK for the peer: 
      pre-shared-key <pre-shared_key>
    5. Enter a peer name for the secondary IPsec tunnel: 
      peer <Peer 2 Name>
    6. Enter the cloud FQDN for the secondary IPsec tunnel: 
      hostname <secondary_Cloud_FQDN>

      If you want to use the IP address of the secondary IPsec tunnel instead of cloud FQDN, then use the corresponding line:

      address <secondary_destination_address>
    7. Enter the PSK for the peer: 
      pre-shared-key <pre-shared_key>
  5. Configure a IKEv2 profile and associate the following:
    • The keyring that you created.
    • The IKE ID sent by the service (of type FQDN)
    • The IKE ID sent by the edge device (of type FQDN or of type IP address).
    • Local and remote authentications using pre-share
    1. Enter an IKEv2 profile name: 
      crypto ikev2 profile <IKEv2 Profile Name>
    2. Define the match statement for the primary IKEv2 profile: 
      match identity remote fqdn <primary_cloud_ike_id>
    3. Define the match statement for the secondary IKEv2 profile: 
      match identity remote fqdn <secondary_cloud_ike_id>
    4. If you want to use a local IKE ID of type FQDN, enter the local IKEv2 identity: 
      identity local fqdn <local_fqdn_id>

      If you want to use a local IKE ID of type IP address, you can replace the corresponding line as follows:

      identity local address <public_egress_IP>
    5. Define the local authentication method: 
      authentication local pre-share
    6. Define the remote authentication method: 
      authentication remote pre-share
    7. Enter the IKEv2 key ring name you configured: 
      keyring local <Key Ring Name>
  6. Configure a transform set and define the encryption algorithm: 
    crypto IPsec transform-set <Transform Set Name> <supported_IPsec_cipher>
  7. Configure an access-list to allow port 80 and 443 traffic from specific subnets or traffic types to the tunnel: 
    access-list <access_list_number> permit tcp <internal_subnet> <subnet_mask> any eq www
access-list <access_list_number> permit tcp <internal_subnet> <subnet_mask> any eq 443

Next steps

On Cisco ISR devices, you can establish the IPsec tunnel via crypto maps with multiple peers or using Virtual Tunnel Interfaces (VTI). Select the appropriate type based on your network requirements.