Hi all,
I'm trying to make sure a specific IKEv2 policy is used for a Tunnel on an ISR 4000 series. I'm having trouble, after reading the documentation and lots of examples online, whether this statement can match the Tunnel's "ip address" or if it will try to match on the external local address.
For example:
Lets say on my "interface tunnelX", I have "tunnel protection ipsec profile XXX_NAME"
Then on my ipsec profile I have "set ikev2-profile XXX_NAME"
My understanding is that I can't really define my IKEv2 policy (which defines my proposal) anywhere in here, it just gets selected based on best match. I have a lot of similar tunnels, but I want to make sure it selects the exact one. I think I can do this with "match address local" command when modifying the IKEv2 policy.
#crypto ikev2 policy XXX_MYNAMEGOESHERE
#match address local XXXX (I would put the ip address defined on "interface tunnel X - ip address "XXX.XXX.XXX.XXX" here)
Now obviously, the IP I want to put in here is the IP address I defined under "interface tunnelX > ip address X," because all of my tunnels use the same "tunnel source" IP address, which is my public IP.
Will this work, or the "match address local" statement use the "tunnel source XXXXX" IP address of the tunnel interface?
Sorry if my language is circular, let me know if you need any clarification and thank you very much for your help.
No comments:
Post a Comment