Summary: Step-by-step configuration for a point-to-point IPsec VPN between two IOS-XE routers using IKEv2 and a Static Virtual Tunnel Interface (SVTI). SVTI is the preferred approach over crypto maps — it is route-based, simpler to manage, and supports dynamic routing protocols over the tunnel.
| SVTI (route-based) | Crypto Map (policy-based) | |
|---|---|---|
| Traffic selection | Routing table | ACL match |
| Dynamic routing | Supported natively | Requires GRE over IPsec |
| Scalability | Better | More complex at scale |
| NAT traversal | Cleaner | Requires careful NAT exemption |
| Recommended | Yes | Legacy — avoid for new deployments |
Router A (Site A) Router B (Site B)
192.168.1.0/24 192.168.2.0/24
| |
Gi0/0 (LAN) Gi0/0 (LAN)
Gi0/1 (WAN) ── Internet ── Gi0/1 (WAN)
203.0.113.1 203.0.113.2
Tunnel0: 10.10.10.1 Tunnel0: 10.10.10.2
Defines the encryption and integrity algorithms for IKE negotiation.
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
Binds the proposal to a policy.
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
crypto ikev2 keyring IKEV2-KEYRING
peer ROUTER-B
address 203.0.113.2
pre-shared-key <strong-psk>
Binds the keyring and local/remote identity to the policy.
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 203.0.113.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local IKEV2-KEYRING
Defines the encryption and integrity for the IPsec data plane.
crypto ipsec transform-set IPSEC-TS esp-aes 256 esp-sha256-hmac
mode tunnel
Binds the transform set and IKEv2 profile for use on the tunnel interface.
crypto ipsec profile IPSEC-PROFILE
set transform-set IPSEC-TS
set ikev2-profile IKEV2-PROFILE
interface Tunnel0
description P2P IPsec VPN to Site B
ip address 10.10.10.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel destination 203.0.113.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
Add a static route or configure a dynamic routing protocol over the tunnel.
! Static route to Site B LAN via tunnel
ip route 192.168.2.0 255.255.255.0 Tunnel0
! Or use EIGRP/OSPF/BGP over the tunnel — configure as normal on Tunnel0
Mirror of Router A with local/remote addresses swapped.
! IKEv2 Proposal, Policy — identical to Router A
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
! Keyring — peer address is Router A's WAN IP
crypto ikev2 keyring IKEV2-KEYRING
peer ROUTER-A
address 203.0.113.1
pre-shared-key <strong-psk>
! Profile — match against Router A's WAN IP
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 203.0.113.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local IKEV2-KEYRING
! Transform set and IPsec profile — identical to Router A
crypto ipsec transform-set IPSEC-TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile IPSEC-PROFILE
set transform-set IPSEC-TS
set ikev2-profile IKEV2-PROFILE
! Tunnel interface — source/destination swapped
interface Tunnel0
description P2P IPsec VPN to Site A
ip address 10.10.10.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel destination 203.0.113.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
! Static route to Site A LAN
ip route 192.168.1.0 255.255.255.0 Tunnel0
Permit the following between the two WAN interfaces:
| Port / Protocol | Purpose |
|---|---|
| UDP 500 | IKEv2 negotiation |
| UDP 4500 | IKEv2 NAT traversal |
| ESP (protocol 50) | IPsec encrypted data |
⚠️ NAT Exemption
If either router is behind NAT, ensure VPN traffic is excluded from NAT translation. Add ano-natACL entry before the NAT overload rule to exempt traffic between the site subnets.
! Confirm IKEv2 SA is up
show crypto ikev2 sa
! Confirm IPsec SAs are established and counters are incrementing
show crypto ipsec sa peer 203.0.113.2
! Check tunnel interface is up/up
show interface Tunnel0
! End-to-end ping across the tunnel
ping 192.168.2.1 source 192.168.1.1
! Verify routing
show ip route 192.168.2.0
| Parameter | Recommended | Avoid |
|---|---|---|
| IKE encryption | AES-256-CBC or AES-256-GCM | DES, 3DES, AES-128 |
| IKE integrity | SHA-256 or SHA-384 | MD5, SHA-1 |
| DH group | Group 14 (2048-bit) or higher | Groups 1, 2, 5 |
| IPsec encryption | AES-256-CBC or AES-256-GCM | DES, 3DES |
| IPsec integrity | SHA-256 or SHA-384 | MD5, SHA-1 |
| PFS | Group 14 or higher | Disabled |