IKEv2 Smart Defaults feature minimizes the FlexVPN configuration by covering most of the use cases. IKEv2 smart defaults can be customized for specific use cases, though this is not recommended.The following rules apply to the IKEv2 Smart Defaults feature:

  • A default configuration is displayed in the corresponding show command with default as a keyword and with no argument. For example, the show crypto ikev2 proposal default command displays the default IKEv2 proposal and the show crypto ikev2 proposal command displays the default IKEv2 proposal, along with any user-configured proposals.
  •  A default configuration is displayed in the show running-config all command; it is not displayed in the show running-config command.
  •  You can modify the default configuration, which is displayed in the show running-config all command.
  •  A default configuration can be disabled using the no form of the command; for example, no crypto ikev2 proposal default. A disabled default configuration is not used in negotiation but the configuration is displayed in the show running-config command. A disabled default configuration loses any user modification and restores system-configured values.
  •  A default configuration can be reenabled using the default form of the command, which restores system-configured values; for example, default crypto ikev2 proposal.
  • The default mode for the default transform set is transport; the default mode for all other transform sets is tunnel.
FlexVPN Lab Guide/Handbook

FlexVPN Lab Guide/Handbook

Here is the list of commands that are enabled with the IKEv2 Smart Defaults feature, along with the default values.

 IKEv2 default Authorization Policy

LAB#show crypto ikev2 authorization policy default

IKEv2 Authorization Policy : default
route set interface
route accept any tag : 1 distance : 1

IKEv2 default Proposal

LAB#show crypto ikev2 proposal default
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
PRF        : SHA512 SHA384 SHA256 SHA1 MD5
DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

IKEv2 default Policy

LAB#show crypto ikev2 policy default
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal    : default

IPSEC default Transform Set

LAB#show crypto ipsec transform-set default
{ esp-aes esp-sha-hmac  }
will negotiate = { Transport,  },

IPSEC default Profile

LAB#show crypto ipsec profile default
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default:  { esp-aes esp-sha-hmac  } ,

We will explore more detailed scenarios & how can we utilize FlexVPN IKEv2 Smart Defaults in setting up Site to Site IKEv2 VPN as well as Remote Access IKEv2 VPN (AnyConnect) soon.


Tags: , , , ,