11-09-2018 12:42 PM - edited 11-09-2018 12:59 PM
One of my remote peers are changing equipment in their data center & gave me a list of new requirments in order to establish an IPsec tunnel with them (requiremnets included in pic). I am running an ASA version 9.6(4)3 & notice that the pre shared key does not get configured within the ike2 policy like it is in ikev1. I also notice that my peer has multiple esp encryption options showing the integrity "sha1-hmac" linked with the "aes-256" in the same line. When I configure the ikev2 proposal I do not even see a sha-1 "hmac" option, only seeing "gmac". I would really appreciate some advice. This is the config I plan to use for the requirments given. Am I missing something?
# crypto ikev2 enable outside
# crypto ikev2 policy 10
encryption aes-gcm-256
integrity null
group 24 14
prf sha
lifetime seconds 86400
# crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1
# crypto map ikev2_outside_map 65 match address ACL-1
# crypto map ikev2_outside_map 65 set pfs group24
# crypto map ikev2_outside_map 65 set peer 1.2.3.4
# crypto map ikev2_outside_map 65 set ikev2 ipsec-proposal ESP-AES-256-SHA1
# crypto map ikev2_outside_map 65 set security-association lifetime seconds 86400
# crypto map ikev2_outside_map interface outside
# group-policy POLICY_L2L internal
group-policy POLICY_L2L attributes
vpn-filter value ACL-2
vpn-tunnel-protocol ikev2
# tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy POLICY_L2L
tunnel-group 1.2.3.4 ipsec-attributes
ikev2 local-authentication pre-shared-key abc123
ikev2 remote-authentication pre-shared-key abc123
# leaving out the ACL's & NAT exemption configurations
Solved! Go to Solution.