CCIE Security:

IOS VPNs Cheatsheet

R2
R1
R2(config)#int lo0
R1(config)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.255
R1(config-if)#ip add1.1.1.1 255.255.255.255
R2(config-if)#int gi0/0
R1(config-if)#int gi0/0
R2(config-if)#ip add 10.1.1.2 255.255.255.0
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R2(config-if)#no shut
R1(config-if)#no shut
R2(config-if)#
R1(config-if)#
R2(config)#ip route 1.1.1.1 255.255.255.255 10.1.1.1
R1(config-if)#ip route 2.2.2.2 255.255.255.255 10.1.1.2
R2(config)#
R1(config)#

R1 will always act as the “client” (Easy VPN client, Flex VPN client, DMVPN “spoke”,
GETVPN group member”).

This is basic configuration. They work, but there are no verification commands
shown.

www.802101.com
 IKEv1

ISAKMP Policy
Crypto isamp policy 10
Encryption 3des
Authentication pre-share

Transform Set
Crypto ipsec transform-set <name> esp-3des esp-sha-hmac

Keyring ACL
Crypto keyring <name> Ip access-list extended <name>
Pre-shared-key address <IP> key <key> Permit ip host 1.1.1.1 host 2.2.2.2

Crypto Map
ISAKMP Profile Crypto map <name> <number> ipsec-isakmp
Crypto isakmp profile <name> Set peer <IP>
Match identity <address> Match address <ACL>
Keyring <name> Set transform-set <name>
Set isakmp-profile <name>

Interface
Int <int>
Crypto map <name>

R1 R2
R1(config)#ip access-list extended VPN-Traffic R2(config)#ip access-list extended VPN-Traffic
R1(config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2 R2(config-ext-nacl)#permit ip host 2.2.2.2 host 1.1.1.1
R1(config-ext-nacl)#exit R2(config-ext-nacl)#exit
R1(config)#crypto isakmp policy 10 R2(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption 3des R2(config-isakmp)#encr 3des
R1(config-isakmp)#authentication pre-share R2(config-isakmp)#auth pre-share
R1(config-isakmp)#hash sha R2(config-isakmp)#hash sha
R1(config-isakmp)#exit R2(config-isakmp)#exit
R1(config)#crypto ipsec transform 3des esp-3des esp-sha- R2(config)#crypto ipsec transform-set 3des esp-3des esp-
hmac sha-hmac
R1(cfg-crypto-trans)#exit R2(cfg-crypto-trans)#exit
R1(config)#crypto keyring R2 R2(config)#crypto keyring R1
R1(conf-keyring)#pre-shared-key address 10.1.1.2 key R2(conf-keyring)#pre-shared-key address 10.1.1.1 key
cisco cisco
R1(conf-keyring)#exit R2(conf-keyring)#exit
R1(config)#crypto isakmp profile R2 R2(config)#crypto isakmp profile R1
R1(conf-isa-prof)#match identity address 10.1.1.2 R2(conf-isa-prof)#match identity address 10.1.1.1
R1(conf-isa-prof)#keyring R2 R2(conf-isa-prof)#keyring R1
R1(conf-isa-prof)#exit R2(conf-isa-prof)#exit
R1(config)#crypto map R2-Map 1 ipsec-isakmp R2(config)#crypto map R1-Map 1 ipsec-isakmp
R1(config-crypto-map)#set peer 10.1.1.2 R2(config-crypto-map)#set peer 10.1.1.1
R1(config-crypto-map)#match address VPN-Traffic R2(config-crypto-map)#match address VPN-Traffic
R1(config-crypto-map)#set transform-set 3des R2(config-crypto-map)#set transform-set 3des
R1(config-crypto-map)#set isakmp-profile R2 R2(config-crypto-map)#set isakmp-profile R1
R1(config-crypto-map)#exit R2(config-crypto-map)#exit
R1(config)#int gi0/0 R2(config)#int gi0/0
R1(config-if)#crypto map R2-Map R2(config-if)#crypto map R1-Map
R1(config-if)# R2(config-if)#

www.802101.com
 IKEv2

ISAKMP Policy
Crypto isamp policy 10
Encryption 3des
Authentication pre-share

Keyring
Crypto keyring <name>
Pre-shared-key address <IP> key <key>

ISAKMP Profile
Crypto isakmp profile <name>
Match identity <address>
Keyring <name>
Transform Set
Crypto ipsec transform-set <name> esp-3des esp-sha-hmac
IKEv2 Proposal
Crypto ikev2 proposal<name>
Encr 3des
Integrity sha1 ACL
Group 2 Ip access-list extended <name>
Permit ip host 1.1.1.1 host 2.2.2.2

IKEv2 Policy
Crypto ikev2 policy 10
Proposal <name>
Match address local <criteria> Crypto Map
Crypto map <name> <number> ipsec-isakmp
Set peer <IP>
IKEv2 Keyring Match address <ACL>
Crypto ikev2 keyring <name> Set transform-set <name>
Peer <name> Set ikev2-profile <name>
<address>
Pre-shared-key <key>

IKEv2 profile
Crypto ikev2 profile <name>
Identity local <identity>
Match address local <criteria>
Match identity remote address <IP> Interface
Authentication local pre=share Int <int>
Authentication remote pre-share Crypto map <name>
Keyring local <keyring>

www.802101.com
 IKEv2 Configs
R1
R1(config)#ip access-list ext VPN-Traffic
R1(config-ext-nacl)#permit icmp host 1.1.1.1 host 2.2.2.2
R1(config-ext-nacl)#exit
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#enc 3des
R1(config-isakmp)#hash sha
R1(config-isakmp)#auth pre
R1(config-isakmp)#exit
R1(config)#cry ipsec transform 3des esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto keyring R2
R1(conf-keyring)#pre-shared-key add 10.1.1.2 key cisco
R1(conf-keyring)#exit
R1(config)#crypto ikev2 keyring R2
R1(config-ikev2-keyring)#peer R2
R1(config-ikev2-keyring-peer)#add 10.1.1.2
R1(config-ikev2-keyring-peer)#pre-shared-key cisco
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#exit
R1(config)#crypto isakmp profile R2
R1(conf-isa-prof)#match identity address 10.1.1.2
R1(conf-isa-prof)#keyring R2
R1(conf-isa-prof)#exit
R1(config)#crypto ikev2 proposal R2
R1(config-ikev2-proposal)#encryption 3des
R1(config-ikev2-proposal)#integrity sha1
R1(config-ikev2-proposal)#group 2
R1(config-ikev2-proposal)#exit
R1(config)#crypto ikev2 policy 10
R1(config-ikev2-policy)#proposal R2
R1(config-ikev2-policy)#match address local 10.1.1.1
R1(config-ikev2-policy)#exit
R1(config)#crypto ikev2 profile R2
R1(config-ikev2-profile)#identity local address 10.1.1.1
R1(config-ikev2-profile)#match ident remote add 10.1.1.2
R1(config-ikev2-profile)#authentication local pre-share
R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#keyring local R2
R1(config-ikev2-profile)#exit
R1(config)#crypto map R2-Map 1 ipsec-isakmp
R1(config-crypto-map)#set peer 10.1.1.2
R1(config-crypto-map)#match add VPN-Traffic
R1(config-crypto-map)#set transform-set 3des
R1(config-crypto-map)#set ikev2-profile R2
R1(config-crypto-map)#exit
R1(config)#int gi0/0
R1(config-if)#crypto map R2-Map
R1(config-if)#
R2
R2(config)#ip access-list extended VPN-Traffic
R2(config-ext-nacl)# permit icmp host 2.2.2.2 hos 1.1.1.1
R1(config-ext-nacl)#exit
R2(config)#crypto isakmp policy 10
R2(config-isakmp)# encr 3des
R2(config-isakmp)# has sha
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)#exit
R2(config)#cry ipsec transform 3des esp-3des esp-sha-hmac
R2(cfg-crypto-trans)# exit
R2(config)#crypto keyring R1
R2(conf-keyring)#pre-shared-key add 10.1.1.1 key cisco
R2(conf-keyring)#exit
R2(config)#crypto ikev2 keyring R1
R2(config-ikev2-keyring)# peer R1
R2(config-ikev2-keyring-peer)#address 10.1.1.1
R2(config-ikev2-keyring-peer)#pre-shared-key cisco
R2(config-ikev2-keyring-peer)#exit
R2(config-ikev2-keyring)#exit
R2(config-isakmp)#crypto isakmp profile R1
R2(conf-isa-prof)#keyring R1
R2(conf-isa-prof)#match identity address 10.1.1.1
R2(conf-isa-prof)#exit
R2(conf-keyring)#crypto ikev2 proposal R1
R2(config-ikev2-proposal)#encryption 3des
R2(config-ikev2-proposal)#integrity sha1
R2(config-ikev2-proposal)#group 2
R2(config-ikev2-proposal)#exit
R2(config)#crypto ikev2 policy 10
R2(config-ikev2-policy)#match address local 10.1.1.2
R2(config-ikev2-policy)#proposal R1
R2(config-ikev2-policy)#exit
R2(config)#crypto ikev2 profile R1
R2(config-ikev2-profile)#match ident remote add 10.1.1.1
R2(config-ikev2-profile)#identity local address 10.1.1.2
R2(config-ikev2-profile)#authentication remote pre-share
R2(config-ikev2-profile)#authentication local pre-share
R2(config-ikev2-profile)#keyring local R1
R2(config-ikev2-profile)#exit
R2(config)#crypto map R1-Map 1 ipsec-isakmp
R2(config-crypto-map)#set peer 10.1.1.1
R2(config-crypto-map)#set transform-set 3des
R2(config-crypto-map)#set ikev2-profile R1
R2(config-crypto-map)#match address VPN-Traffic
R2(config-crypto-map)#exit
R2(config)#int gi0/0
R2(config-if)#crypto map R1-Map
R2(config-if)#
www.802101.com
 Easy VPN

Client

Outside interface
Int gi0/0
Crypto ipsec client ez <group>
Client
Crypto ipsec client ez EasyGroup
Connect auto
Group EasyGroup key cisco
Mode client
Peer 10.1.1.2
Inside Interface
Int loop0
Crypto ipsec client ez <group> inside

Server
ISAKMP Policy
Crypto isakmp
policy 10
Encr 3des
Hash sha
Group 2
Auth pre-share

AAA
Pool
aaa new-model
ip local pool EasyPool 192.168.1.10 192.168.1.20
aaa authoriz netw AuthZ-list local

ISAKMP profile
crypto isakmp profile R1
Group
match identity group EasyGroup
crypto isakmp client config group EasyGroup
isakmp authoriz list AuthZ-list
key cisco
client config add respond
pool EasyPool
client config group EasyGroup
virtual-template 1
Transform Set
Crypto ipsec transform-set 3des esp-3des esp-sha-hmac

IPSec profile
crypto ipsec profile R1
set transform-set 3des
set isakmp-profile R1 Virtual-Template
int virtual-templ 1 type tunnel
ip unnum lo0
tun mo ipsec ipv4
tun protection ipsec profile R1

www.802101.com
 EasyVPN Configs
R1
R1(config)#crypto ipsec client ez EasyGroup
R1(config-crypto-ezvpn)#connect auto
R1(config-crypto-ezvpn)#group EasyGroup key cisco
R1(config-crypto-ezvpn)#mode client
R1(config-crypto-ezvpn)#peer 10.1.1.2
R1(config-crypto-ezvpn)#
R1(config-crypto-ezvpn)#exit
R1(config)#int gi0/0
R1(config-if)#crypto ipsec client ez EasyGroup
R1(config-if)#int lo0
R1(config-if)#crypto ipsec client ez EasyGroup inside
R1(config-if)#
R2
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#enc 3des
R2(config-isakmp)#has sha
R2(config-isakmp)#group 2
R2(config-isakmp)#auth pre
R2(config-isakmp)#exit
R2(config)#crypto ipsec transform-set 3des esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#
R2(cfg-crypto-trans)#exit
R2(config)#crypto isakmp profile R1
R2(conf-isa-prof)#match identity group EasyGroup
R2(conf-isa-prof)#isakmp authoriz list AuthZ-list
R2(conf-isa-prof)#client config add respond
R2(conf-isa-prof)#client config group EasyGroup
R2(conf-isa-prof)#virtual-template 1
R2(conf-isa-prof)#exit
R2(config)#crypto ipsec profile R1
R2(ipsec-profile)#set transform-set 3des
R2(ipsec-profile)#set isakmp-profile R1
R2(ipsec-profile)#exit
R2(config)#aaa new
R2(config)#aaa authoriz netw AuthZ-list local
R2(config)#ip local pool EasyPool 192.168.1.10 192.168.1.20
R2(config)#crypto isakmp client config group EasyGroup
R2(config-isakmp-group)#key cisco
R2(config-isakmp-group)#pool EasyPool
R2(config-isakmp-group)#exit
R2(config)#int virtual-templ 1 type tunnel
R2(config-if)#ip unnum lo0
R2(config-if)#tun mo ipsec ipv4
R2(config-if)#tun protection ipsec profile R1
R2(config-if)#
www.802101.com
 DMVPN

Client

R1
R1(config)#int tun 0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no ip redirects
R1(config-if)#ip nhrp authentication cisco
R1(config-if)#ip nhrp map 192.168.1.2 10.1.1.2
R1(config-if)#ip nhrp map multicast 10.1.1.2
R1(config-if)#ip nhrp network-id 101
R1(config-if)#ip nhrp nhs 192.168.1.2
R1(config-if)#tun so gi0/0
R1(config-if)#tun mode gre multipoint
R1(config-if)#

Hub

R2
R2(config)#int tun 0
R2(config-if)#ip nhrp map multicast dyn
R2(config-if)#ip nhrp network-id 101
R2(config-if)#ip add 192.168.1.2 255.255.255.0
R2(config-if)#ip nhrp authentication cisco
R2(config-if)#tun sou gi0/0
R2(config-if)#tun mode gre multi
R2(config-if)#ip nhrp shortcut
R2(config-if)#ip nhrp redirect
R2(config-if)#

www.802101.com
 Flex VPN

Client Server

Pool
ip local pool FlexPool 192.168.1.10 192.168.1.20

Access-list
ip access-list standard Flex-Traffic
permit 8.8.8.8 0.0.0.0

IKEv2 Authorization policy IKEv2 Authorization Policy

crypto ikev2 authorization policy default crypto ikev2 authorization policy default
route set interface pool FlexPool
route set access-list Flex-Traffic
no route set interface

IKEv2 Proposal
crypto ikev2 proposal IKE-Prop
encryption 3des
integrity sha1
group 2

IKEv2 Policy
crypto ikev2 policy IKE-Pol
proposal IKE-Prop

IKEv2 Keyring IKEv2 Keyring

AAA
crypto ikev2 keyring R2 crypto ikev2 keyring R1
aaa new-model
peer R2 peer R1
aaa authorization network AuthZ-list local
address 10.1.1.2 address 10.1.1.1
pre-shared-key cisco pre-shared-key cisco

IKEv2 Profile
IKEv2 Profile
crypto ikev2 profile R1
crypto ikev2 profile R2
match identity remote address 10.1.1.1
authentication local pre-share
keyring local R1
authentication remote pre-share
authentication local pre-share
keyring local R2
authentication remote pre-share
match identity remote address 10.1.1.2
aaa authorization group psk list AuthZ-list default
aaa authorization group psk list AuthZ-list default
virtual-template 1

IPSec Transform-set
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
mode tunnel

IPSec Profile IPSec Profile

crypto ipsec profile R2 crypto ipsec profile R1
set ikev2-profile R2 set ikev2-profile R1
set transform-set 3des set transform-set 3des

Tunnel Interface
int tunnel 0
ip add negotiated Virtual template
tun so gi0/0 int virtual-template 1 type tunne1
tun mo ipsec ipv4 ip unnum gi0/0
tun dest 10.1.1.2 tun so gi0/0
tunnel protection ipsec profile R2 tun mo ipsec ipv4
tunn prot ipsec profile R1

IKEv2 Client
crypto ikev2 client flexvpn Flex-Client
peer 1 10.1.1.2
client connect tunnel 0
www.802101.com
 FlexVPN Configs

R1 R2
R1(config)#aaa new-model R2(config)#ip access-list standard Flex-Traffic
R1(config)#aaa authorization network AuthZ-list local R2(config-ext-nacl)#permit 8.8.8.8 0.0.0.0
R1(config)#crypto ikev2 authorization policy default R2(config-ext-nacl)#exit
R1(config-ikev2-author-policy)#route set interface R2(config)#aaa new-model
R1(config-ikev2-author-policy)#exit R2(config)#aaa authorization network AuthZ-list local
R1(config)#crypto ikev2 proposal R2 R2(config)#crypto ikev2 authorization policy default
R1(config-ikev2-proposal)#encryption 3des R2(config-ikev2-author-policy)#pool FlexPool
R1(config-ikev2-proposal)#integrity sha1 R2(config-ikev2-author-policy)#route set access-list Flex-Traffic
R1(config-ikev2-proposal)#group 2 R2(config-ikev2-author-policy)#no route set interface
R1(config-ikev2-proposal)#exit R2(config-ikev2-author-policy)#exit
R1(config)#crypto ikev2 policy R2 R2(config)#crypto ikev2 proposal R1
R1(config-ikev2-policy)#proposal R2 R2(config-ikev2-proposal)#encryption 3des
R1(config-ikev2-policy)#exit R2(config-ikev2-proposal)#integ sha1
R1(config)#crypto ikev2 keyring R2 R2(config-ikev2-proposal)#group 2
R1(config-ikev2-keyring)#peer R2 R2(config-ikev2-proposal)#exit
R1(config-ikev2-keyring-peer)#address 10.1.1.2 R2(config)#crypto ikev2 policy R1
R1(config-ikev2-keyring-peer)#pre-shared-key cisco R2(config-ikev2-policy)#proposal R1
R1(config-ikev2-keyring-peer)#exit R2(config-ikev2-policy)#exit
R1(config-ikev2-keyring)#exit R2(config)#crypto ikev2 keyring R1
R1(config)#crypto ikev2 profile R2 R2(config-ikev2-keyring)#peer R1
R1(config-ikev2-profile)#authentication local pre-share R2(config-ikev2-keyring-peer)#address 10.1.1.1
R1(config-ikev2-profile)#authentication remote pre-share R2(config-ikev2-keyring-peer)#pre-shared-key cisco
R1(config-ikev2-profile)#keyring local R2 R2(config-ikev2-keyring-peer)#exit
R1(config-ikev2-profile)#match identity remote address 10.1.1.2 R2(config-ikev2-keyring)#exit
R1(config-ikev2-profile)#aaa authorization group psk list AuthZ-list default R2(config)#crypto ikev2 profile R1
R1(config-ikev2-profile)#exit R2(config-ikev2-profile)#match identity remote address 10.1.1.1
R1(config)#crypto ipsec transform-set 3des esp-3des esp-sha-hmac R2(config-ikev2-profile)#keyring local R1
R1(cfg-crypto-trans)#exit R2(config-ikev2-profile)#authentication local pre-share
R1(config)#crypto ipsec profile R2 R2(config-ikev2-profile)#authentication remote pre-share
R1(ipsec-profile)#set ikev2-profile R2 R2(config-ikev2-profile)#aaa authorization group psk list AuthZ-list default
R1(ipsec-profile)#set transform-set 3des R2(config-ikev2-profile)#virtual-template 1
R1(ipsec-profile)#exit R2(config-ikev2-profile)#exit
R1(config)#int tunnel 0 R2(config)#crypto ipsec transform-set 3des esp-3des esp-sha-hmac
R1(config-if)#ip add negotiated R2(cfg-crypto-trans)#exit
R1(config-if)#tun so gi0/0 R2(config)#
R1(config-if)#tun mo ipsec ipv4 R2(config)#crypto ipsec profile R1
R1(config-if)#tun dest 10.1.1.2 R2(ipsec-profile)#set transform-set 3des
R1(config-if)#tunnel protection ipsec profile R2 R2(ipsec-profile)#set ikev2-profile R1
R1(config-if)#exit R2(ipsec-profile)#exit
R1(config)#crypto ikev2 client flexvpn Flex-Client R2(config)#int virtual-template 1 type tunne1
R1(config-ikev2-flexvpn)#peer 1 10.1.1.2 R2(config-if)#ip unnum gi0/0
R1(config-ikev2-flexvpn)#client connect tunnel 0 R2(config-if)#tun so gi0/0
R1(config-ikev2-flexvpn)#exit R2(config-if)#tun mo ipsec ipv4
R1(config)# R2(config-if)#tunn prot ipsec profile R1
R2(config-if)#exit
R2(config)#ip local pool FlexPool 192.168.1.10 192.168.1.20
R2(config)#

www.802101.com
 GET VPN

Group Member Key Server

ISAKMP Policy
crypto isakmp policy 1
encr 3des
auth pre-share
group 2

ISAKMP Key ISAKMP Key

crypto isakmp key cisco address 10.1.1.2 crypto isakmp key cisco address 10.1.1.1

Transform Set
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
exit

IPSec profile
crypto ipsec profile R1
set transform-set 3des

RSA key
crypto key generate rsa label GET-KEY mod 1024
exportable

ACL
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

GDOI Group GDOI Group

crypto gdoi group GDOI-Group crypto gdoi group GDOI-Group
identity number 1 identity number 1
server address ipv4 10.1.1.2 server local
rekey retransmit 10 number 3
rekey authentication mypubkey rsa GET-KEY
rekey transport unicast
sa ipsec 1
profile R1
Crypto Map match address ipv4 101
crypto map CRY-Map 10 gdoi replay counter window-size 64
set group GDOI-Group address ipv4 10.1.1.2
exit

Interface
int gi0/0
crypto map CRY-Map

www.802101.com
 GET VPN Configs

R1
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr 3des
R1(config-isakmp)#auth pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config)#
R1(config)#crypto isakmp key cisco address 10.1.1.2
R1(config)#
R1(config)#crypto gdoi group GDOI-Group
R1(config-gkm-group)#identity number 1
R1(config-gkm-group)#server address ipv4 10.1.1.2
R1(config-gkm-group)#exit
R1(config)#
R1(config)#crypto map CRY-Map 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
R1(config-crypto-map)#set group GDOI-Group
R1(config-crypto-map)#exit
R1(config)#
R1(config)#int gi0/0
R1(config-if)#crypto map CRY-Map
R1(config-if)#
%CRYPTO-6-GDOI_ON_OFF: GDOI is ON
R1(config-if)#
R2
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#encr 3des
R2(config-isakmp)#auth pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#
R2(config)#crypto isakmp key cisco address 10.1.1.1
R2(config)#
R2(config)#crypto ipsec transform-set 3des esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#exit
R2(config)#
R2(config)#crypto ipsec profile R1
R2(ipsec-profile)#set transform-set 3des
R2(ipsec-profile)#exit
R2(config)#
R2(config)#crypto key generate rsa label GET-KEY mod 1024 exportable
The name for the keys will be: GET-KEY

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 1 seconds)

R2(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled
R2(config)#
R2(config)#crypto gdoi group GDOI-Group
R2(config-gkm-group)#identity number 1
R2(config-gkm-group)#server local
R2(gkm-local-server)#rekey retransmit 10 number 3
R2(gkm-local-server)#rekey authentication mypubkey rsa GET-KEY
R2(gkm-local-server)#rekey transport unicast
R2(gkm-local-server)#
R2(gkm-local-server)#sa ipsec 1
R2(gkm-sa-ipsec)#profile R1
R2(gkm-sa-ipsec)#match address ipv4 101
R2(gkm-sa-ipsec)#replay counter window-size 64
R2(gkm-sa-ipsec)#address ipv4 10.1.1.2
R2(gkm-local-server)#exit
R2(config-gkm-group)#exit
R2(config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
R2(config)#

www.802101.com