Solved: ASA 5506-X IPsec configuration - IKE phase 1

Waterbird · ‎11-30-2018

My configuration:

crypto ikev1 enable outside

crypto ikev1 policy 2
hash sha
authentication pre-share
group 24
lifetime 3600
encryption aes 256
exit

access-list 101 permit ip 192.168.2.0 255.255.255. 0 192.168.3.0 255.255.255.0

My problem arises when I try to configure the pre-share key, which I assume is necessary since I've chose pre-share for authentication. My understanding is the config should be as follows, but the keyword "key" is not recognized by the ASA:

crypto ikev1 key cisco12345 address 172.30.2.1

Questions:

1. Since the ASA CLI does not recognize the "key" keyword. How do you configure a pre-shared key? Is it necessary for the the rest of the config above to work and form the tunnel?

2. The IP address of this configuration is supposed to be the peer ASA ip address, but I'm needing clarity if that is the outside interface address, or some internal address for the LAN on the other side of the tunnel, that should be used?

sachin.tyagi · ‎11-30-2018

You will need to use "tunnel-group" command instead of what you are using for the pre-shared key:

tunnel-group 172.30.2.1 type ipsec-l2l
tunnel-group 172.30.2.1 ipsec-attributes
ikev1 pre-shared-key cisco12345

172.30.2.1 is the peer IP address

View solution in original post

sachin.tyagi · ‎11-30-2018

You will need to use "tunnel-group" command instead of what you are using for the pre-shared key:

tunnel-group 172.30.2.1 type ipsec-l2l
tunnel-group 172.30.2.1 ipsec-attributes
ikev1 pre-shared-key cisco12345

172.30.2.1 is the peer IP address

Waterbird · ‎11-30-2018

Thank you.