IKEv1 IPsec Site-to-Site VPN configuration on Cisco ASA 8.4(x)

IPsec Site-to-Site VPN are good alternative to a point-to-point lease lines when cost matters. Our goal is to configure site-to-site or l2l IPsec VPN between ASA1 and ASA2 which are running IOS 8.4(2). IP addressing scheme is mentioned in the network diagram.

ASA1

interface GigabitEthernet1
 nameif OUTSIDE
 security-level 0
 ip address 180.1.1.2 255.255.255.252
!
interface GigabitEthernet2
 nameif INSIDE
 security-level 100
 ip address 172.16.0.2 255.255.255.0
!
access-list VPN extended permit ip 172.16.0.0 255.255.252.0 192.168.0.0 255.255.252.0
!
crypto ipsec ikev1 transform-set VPNTRANS esp-aes esp-sha-hmac
crypto map VPNMAP 1 match address VPN
crypto map VPNMAP 1 set peer 190.1.1.2
crypto map VPNMAP 1 set ikev1 transform-set VPNTRANS
crypto map VPNMAP interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 190.1.1.2 type ipsec-l2l
tunnel-group 190.1.1.2 ipsec-attributes
 ikev1 pre-shared-key *****

  ASA2

 interface GigabitEthernet1
 nameif OUTSIDE
 security-level 0
 ip address 190.1.1.2 255.255.255.252
!
interface GigabitEthernet2
 nameif INSIDE
 security-level 100
 ip address 192.168.0.2 255.255.255.0
!
access-list VPN extended permit ip 192.168.0.0 255.255.252.0 172.16.0.0 255.255.252.0
!
crypto ipsec ikev1 transform-set VPNTRANS esp-aes esp-sha-hmac
crypto map VPNMAP 1 match address VPN
crypto map VPNMAP 1 set peer 180.1.1.2
crypto map VPNMAP 1 set ikev1 transform-set VPNTRANS
crypto map VPNMAP interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 180.1.1.2 type ipsec-l2l
tunnel-group 180.1.1.2 ipsec-attributes
 ikev1 pre-shared-key *****



No comments:

Post a Comment