Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
0
Helpful
1
Replies

IP Sec Tunnel Between vEdge routers to Cisco ASA

Go to solution
Muthu Gunasekaran
Level 1
Level 1

‎06-18-2019 06:58 AM

Hi Team 

 I Need help to Create IP Sec Tunnel Between vEdge routers to non SDWAN devices. Can you please help on this 

 

 

Regards

G Muthu

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ekhabaro
Cisco Employee
Cisco Employee

‎06-18-2019 07:21 AM - edited ‎06-18-2019 07:25 AM

Here is an example. 

ASA:

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Tunnel0
nameif ipsec
ip address 10.10.10.1 255.255.255.252
tunnel source interface Outside
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
tunnel protection ipsec profile tac_ipsec_profile
!
route Outside 0.0.0.0 0.0.0.0 x.x.x.gw 1
!
crypto ipsec ikev2 ipsec-proposal myset
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec profile tac_ipsec_profile
set ikev2 ipsec-proposal myset
set pfs group2
set security-association lifetime seconds 86400
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 512
crypto ipsec security-association pmtu-aging 10
crypto ipsec security-association pmtu-aging 10
crypto ca trustpool policy
auto-import
crypto isakmp identity address
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 100
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 14 5 2
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 policy 200
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 14 5 2
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 enable Outside
group-policy IKE internal
group-policy IKE attributes
vpn-tunnel-protocol ikev2
pfs enable
ipsec-udp enable
dynamic-access-policy-record DfltAccessPolicy
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y general-attributes
default-group-policy IKE
tunnel-group y.y.y.y ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!

vEdge:

 

vpn 0
interface ge0/0
ip address y.y.y.y/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ipsec1
ip address 10.10.10.2/30
tunnel-source y.y.y.y
tunnel-destination x.x.x.x
ike
version 2
rekey 86400
cipher-suite aes256-cbc-sha2
group 2
authentication-type
pre-shared-key
pre-shared-secret *****
local-id y.y.y.y
remote-id x.x.x.x
!
!
!
ipsec
rekey 86400
replay-window 512
cipher-suite aes256-cbc-sha1
perfect-forward-secrecy group-2
!
no shutdown
!
ip route 0.0.0.0/0 y.y.y.gw
!

Please make sure to use shared secret key longer than 16 characters for greater security

View solution in original post

0 Helpful
1 Reply 1

Go to solution
ekhabaro
Cisco Employee
Cisco Employee

‎06-18-2019 07:21 AM - edited ‎06-18-2019 07:25 AM

Here is an example. 

ASA:

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Tunnel0
nameif ipsec
ip address 10.10.10.1 255.255.255.252
tunnel source interface Outside
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
tunnel protection ipsec profile tac_ipsec_profile
!
route Outside 0.0.0.0 0.0.0.0 x.x.x.gw 1
!
crypto ipsec ikev2 ipsec-proposal myset
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec profile tac_ipsec_profile
set ikev2 ipsec-proposal myset
set pfs group2
set security-association lifetime seconds 86400
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 512
crypto ipsec security-association pmtu-aging 10
crypto ipsec security-association pmtu-aging 10
crypto ca trustpool policy
auto-import
crypto isakmp identity address
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 100
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 14 5 2
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 policy 200
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 14 5 2
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 enable Outside
group-policy IKE internal
group-policy IKE attributes
vpn-tunnel-protocol ikev2
pfs enable
ipsec-udp enable
dynamic-access-policy-record DfltAccessPolicy
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y general-attributes
default-group-policy IKE
tunnel-group y.y.y.y ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!

vEdge:

 

vpn 0
interface ge0/0
ip address y.y.y.y/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ipsec1
ip address 10.10.10.2/30
tunnel-source y.y.y.y
tunnel-destination x.x.x.x
ike
version 2
rekey 86400
cipher-suite aes256-cbc-sha2
group 2
authentication-type
pre-shared-key
pre-shared-secret *****
local-id y.y.y.y
remote-id x.x.x.x
!
!
!
ipsec
rekey 86400
replay-window 512
cipher-suite aes256-cbc-sha1
perfect-forward-secrecy group-2
!
no shutdown
!
ip route 0.0.0.0/0 y.y.y.gw
!

Please make sure to use shared secret key longer than 16 characters for greater security

0 Helpful
Customers Also Viewed These Support Documents