Cisco router IKEV2 L2LVPN certificate authentication Configuration

I. Overview:

IKEV2 support a variety of authentication methods, but also support the use of different authentication methods on both sides of the experiment on both sides of the certification method, reference Links:

Http://blog.sina.com.cn/s/blog_675bc36a010160s4.html.

Two. Basic ideas:

A. Before configuring certificate authentication, you need to configure clock synchronization

B. Certificate authentication, identity can be set to FQDN, but the destination address needs to be set when configuring Svti, so this is not convenient for configuring the dynamic address side of the way.

C. When configuring the Trustpoint of a PKI if Revocation-check none, then the CA is not contacted at the time of authentication and the certificate revocation list is checked

---This approach is useful when the CA server is deployed in a unified manner, typically by establishing a VPN by preshared key, contacting the CA to obtain the certificate issued by the CA, and then establishing the VPN through certificate authentication.

Three. Test topology:

Four. Basic configuration:

A.R1:

Interface fastethernet0/0

IP address 172.16.1.2 255.255.255.0

No shut

IP Route 0.0.0.0 0.0.0.0 172.16.1.1

B.R2:

Interface fastethernet0/0

IP address 172.16.1.1 255.255.255.0

No shut

Interface FASTETHERNET0/1

IP address 202.100.1.1 255.255.255.0

No shut

IP Route 0.0.0.0 0.0.0.0 202.100.1.10

c.ca:

Interface fastethernet0/0

IP address 202.100.1.10 255.255.255.0

No shut

Interface fastethernet1/0

IP address 202.100.2.10 255.255.255.0

No shut

D.R4:

Interface fastethernet0/0

IP address 192.168.1.1 255.255.255.0

No shut

Interface FASTETHERNET0/1

IP address 202.100.2.1 255.255.255.0

No shut

IP Route 0.0.0.0 0.0.0.0 202.100.2.10

E:R5:

Interface fastethernet0/0

IP address 192.168.1.2 255.255.255.0

No shut

IP Route 0.0.0.0 0.0.0.0 192.168.1.1