How to do IKEv2+Suite-B support for Master-Local/Master Redundancy on controller?



To do configuration of IKEv2 and suite b for establishing IPSec tunnel between different topologies like master-local, master-master and cluster root and cluster member






IKEv2 uses Three different kinds of certs

Factory certs :- Certs which are present in controller by default

RSA Customer certificates

Suite B crypto using ECDSA customer certificates

Solution has been provided on the configuration knob and at the verification knob.



When using Factory certs  no upload is required, make sure certs are present on controller using show tpm cert-info and using Custom certificates Server and trusted certificates have to be uploaded to the controller using WebUI.



Master-Local Configuration using Factory certificates 

On Local controller

 (London) (config) #masterip <master ip> ipsec-factory-cert master-mac-1 <Macaddr of active> master-mac-2  <macaddrof standby>

On Master controller

(USA) (config) #local-factory-cert local-mac<localcontrollermac>


Master-Local Configuration using custom certificates

On Local Controller:-

RSA Certificates

(London) (config) #masterip <masterip> ipsec-custom-cert master-mac-1 <mastercertCN> ca-cert <trusted certname> server-cert <servercertname>

ECDSA Certificates

(London) (config) #masterip <masterip> ipsec-custom-cert master-mac-1 <mastercert CN> ca-cert <trusted certname> server-cert <servercertname>  suite-b gcm128/256

On Master Controller

RSA Certificates

(USA) (config) #local-custom-cert local-mac <localcertCN> ca-cert  <trustcertname> server-cert <servercertname>

ECDSA Certificates

(USA) (config) #local-custom-cert local-mac <localcertCN> ca-cert  <trustcertname> server-cert <servercertname> suite-b gcm128/256


Configuration – Master Redundancy Using Factory & Custom Certificates

(USA) (config-master-redundancy)#peer-ip-address <peerip> ipsec-factory-cert peer-mac <Maccaddress of Peer>

(USA) (config-master-redundancy)#peer-ip-address <peerip> ipsec-custom-cert peer-mac  <peercertificateCN> ca-cert <trusted certificate name> server-cert  <servercert name>

(USA) (config-master-redundancy)#peer-ip-address <peerip> ipsec-custom-cert peer-mac  <peercertificateCN> ca-cert <trusted certificate name> server-cert  <servercert name> suite-b gcm128/256


Configuration – Cluster Using Factory Certificates

On Cluster Member

(USA) (config) #cluster-root-ip 1<clusterrootip> ipsec-factory-cert root-mac-1 <macaddress of clusterroot>

On Cluster Root:-

(USA) (config) #cluster-member-factory-cert member-mac <member mac>

Configuration – Cluster Using Customer Certificates 

On Cluster Root

RSA Certificates

 (USA (config) #cluster-member-custom-cert member-mac <membercertificateCN> ca-cert <trustedcertname> server-cert <servercertname>


 (USA) (config) #cluster-member-custom-cert member-mac <membercertificateCN> ca-cert <trustedcertname> server-cert <servercertname> suite-b gcm128


RSA Certificates

 (USA) (config) #cluster-root-ip <rootip> ipsec-custom-cert root-mac-1 <rootcertCN> ca-cert <trustedcertname> server-cert <servercertname>

ECDSA Certificates

(USA) (config) #cluster-root-ip <rootip> ipsec-custom-cert root-mac-1 <rootcertCN> ca-cert <trustedcertname> server-cert <servercertname> suite-b gcm128/256






(USA) (config) #show crypto ipsec sa 

IPSEC SA Active Session Information


Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP

------------     ------------     -----------         -----------         -----  ---------------   --------       T      Dec  9 01:01:58     -


IPSEC SA (V2) Active Session Information


Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP

------------     ------------     ----------------   ----- ---------------   --------       1c986200/67a58c00  UT2   Dec  9 02:24:03     -


Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap

       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2


Total IPSEC SAs: 2


USA) (config) #show crypto isakmp sa

 ISAKMP SA Active Session Information


Initiator IP     Responder IP   Flags       Start Time      Private IP

------------     ------------   -----     ---------------   ----------     r-a-p     Dec  9 01:01:58          -     r-v2-c    Dec  9 02:23:55     -


Flags: i = Initiator; r = Responder

       m = Main Mode; a = Agressive Mode v2 = IKEv2

       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature

       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled

       3 = 3rd party AP; C = Campus AP; R = RAP

       V = VIA; S = VIA over TCP


Total ISAKMP SAs: 2


Troubleshooting commands

Show crypto ipsec sa

Show crypto isakmp sa

Show datapath session table

Show log security all

Version history
Revision #:
2 of 2
Last update:
‎05-18-2016 01:38 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: