Cisco ASA Series Cli Configuration Manual page 1805
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring LAN-to-LAN IPsec VPNs
Step 1
To set the connection type to IPsec LAN-to-LAN, enter the tunnel-group command. The syntax is
tunnel-group name type type, where name is the name you assign to the tunnel group, and type is the
type of tunnel. The tunnel types as you enter them in the CLI are:
•
•
In the following example the name of the tunnel group is the IP address of the LAN-to-LAN peer,
10.10.4.108.
hostname(config)# tunnel-group 10.10.4.108 type ipsec-l2l
hostname(config)#
Note
Step 2
To set the authentication method to preshared key, enter the ipsec-attributes mode and then enter the
ikev1 pre-shared-key command to create the preshared key. You need to use the same preshared key on
both ASAs for this LAN-to-LAN connection.
The key is an alphanumeric string of 1-128 characters.
In the following example the IKEv1 preshared key is 44kkaol59636jnfx:
hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes
hostname(config-tunnel-ipsec)# pre-shared-key 44kkaol59636jnfx
In the next example, the IKEv2 preshared key is configured also as 44kkaol59636jnfx:
hostname(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 44kkaol59636jnfx
Note
You must configure ikev2 remote-authentication pre-shared-key or a certificate to complete the
authentication.
Step 3
Save your changes.
hostname(config)# write memory
hostname(config)#
To verify that the tunnel is up and running, use the show vpn-sessiondb summary, show vpn-sessiondb
detail l2l, or show cry ipsec sa command.
Creating a Crypto Map and Applying It To an Interface
Crypto map entries pull together the various elements of IPsec security associations, including the
following:
•
•
•
•
remote-access (IPsec, SSL, and clientless SSL remote access)
ipsec-l2l (IPsec LAN to LAN)
LAN-to-LAN tunnel groups that have names that are not an IP address can be used only if the
tunnel authentication method is Digital Certificates and/or the peer is configured to use
Aggressive Mode.
Which traffic IPsec should protect, which you define in an access list.
Where to send IPsec-protected traffic, by identifying the peer.
What IPsec security applies to this traffic, which a transform set specifies.
The local address for IPsec traffic, which you identify by applying the crypto map to an interface.
Creating a Crypto Map and Applying It To an Interface
Cisco ASA Series CLI Configuration Guide
1-9
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
