ciscoasa# sh running-config
interface GigabitEthernet0
 nameif OUTSIDE
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet1
 nameif DMZ
 security-level 100
 ip address 10.4.0.2 255.255.255.0
!
access-list VPN-ACL extended permit ip 10.4.0.0 255.254.0.0 172.16.10.0 255.255.255.0
access-list other-VPN-ACL extended permit ip 10.4.0.0 255.254.0.0 192.168.0.0 255.255.0.0
access-list other-VPN-ACL extended permit ip 192.168.31.0 255.255.255.0 192.168.0.0 255.255.0.0
route OUTSIDE 0.0.0.0 0.0.0.0 2.2.2.1 1
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal my-proposal
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ikev2proposal
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto map mymap 1 match address other-VPN-ACL
crypto map mymap 1 set peer 9.9.9.9
crypto map mymap 1 set ikev2 ipsec-proposal my-proposal
crypto map mymap 2 match address VPN-ACL
crypto map mymap 2 set peer 1.1.1.1
crypto map mymap 2 set ikev1 transform-set ESP-AES256-SHA
crypto map mymap 2 set security-association lifetime seconds 3600
crypto map mymap interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 25
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 3
ciscoasa#