IKEv1 IPsec Site-to-Site VPN configuration on Cisco ASA 8.4(x)
IPsec Site-to-Site VPN are good alternative to a point-to-point lease lines when cost matters. Our goal is to configure site-to-site or l2l IPsec VPN between ASA1 and ASA2 which are running IOS 8.4(2). IP addressing scheme is mentioned in the network diagram.
ASA1
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address 180.1.1.2 255.255.255.252
!
interface GigabitEthernet2
nameif INSIDE
security-level 100
ip address 172.16.0.2 255.255.255.0
!
access-list VPN extended permit ip 172.16.0.0 255.255.252.0 192.168.0.0 255.255.252.0
!
crypto ipsec ikev1 transform-set VPNTRANS esp-aes esp-sha-hmac
crypto map VPNMAP 1 match address VPN
crypto map VPNMAP 1 set peer 190.1.1.2
crypto map VPNMAP 1 set ikev1 transform-set VPNTRANS
crypto map VPNMAP interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
tunnel-group 190.1.1.2 type ipsec-l2l
tunnel-group 190.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****
ASA2
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address 190.1.1.2 255.255.255.252
!
interface GigabitEthernet2
nameif INSIDE
security-level 100
ip address 192.168.0.2 255.255.255.0
!
access-list VPN extended permit ip 192.168.0.0 255.255.252.0 172.16.0.0 255.255.252.0
!
crypto ipsec ikev1 transform-set VPNTRANS esp-aes esp-sha-hmac
crypto map VPNMAP 1 match address VPN
crypto map VPNMAP 1 set peer 180.1.1.2
crypto map VPNMAP 1 set ikev1 transform-set VPNTRANS
crypto map VPNMAP interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
tunnel-group 180.1.1.2 type ipsec-l2l
tunnel-group 180.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****
Comments
Post a Comment