SIMULATION
Correct Answer: Here are the steps as below
Explanation/Reference:
Step 1: configure key ring
crypto ikev2 keyring mykeys
peer SiteB.cisco.com
address 209.161.201.1
pre-shared-key local $iteA
pre-shared key remote $iteB
Step 2: Configure IKEv2 profile
Crypto ikev2 profile default
identity local fqdn SiteA.cisco.com
Match identity remote fqdn SiteB.cisco.com
Authentication local pre-share
Authentication remote pre-share
Keyring local mykeys
Step 3: Create the GRE Tunnel and apply profile
crypto ipsec profile default
set ikev2-profile default
Interface tunnel 0
ip address 10.1.1.1 255.255.255.0
Tunnel source eth 0/0
Tunnel destination 209.165.201.1
tunnel protection ipsec profile default
end
Explanation/Reference:
Step 1: configure key ring
crypto ikev2 keyring mykeys
peer SiteB.cisco.com
address 209.161.201.1
pre-shared-key local $iteA
pre-shared key remote $iteB
Step 2: Configure IKEv2 profile
Crypto ikev2 profile default
identity local fqdn SiteA.cisco.com
Match identity remote fqdn SiteB.cisco.com
Authentication local pre-share
Authentication remote pre-share
Keyring local mykeys
Step 3: Create the GRE Tunnel and apply profile
crypto ipsec profile default
set ikev2-profile default
Interface tunnel 0
ip address 10.1.1.1 255.255.255.0
Tunnel source eth 0/0
Tunnel destination 209.165.201.1
tunnel protection ipsec profile default
end
Need to creat ikev2 proposal as mentionned.
There is no assumptions for ikev2 or ipsec. You are over thinking this simple “default” setting built in the IOS software.
When you specify the word “default” at the end, you are telling the system to use the default built in proposal. This exam also has a question that ask “what’s the default proposal for ikev2?”. The answer is below.
SiteA#show crypto ikev2 proposal default
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
SiteA#show crypto ikev2 policy default
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default
As for the keyring name, cisco is Telling you to use “mykeys” because “SiteB is preconfigured”. Just like in the other
Other assumptions: crypto ikev2 profile = default
crypto ipsec profile = default
In all cases, always look at the configuration on Site B’s router, and verify what they are, so you can match on Site A.
This is missing several aspects from the question, and is making assumptions about others.
Missing: No IkeV2 proposal
No ikev2 policy
No IPsec transform-set
Assumptions: keyring name = mykeys