cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
217
Views
0
Helpful
2
Replies
Beginner

IKEv2 Consolidation

!
crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 15
!
crypto ikev2 policy IKEv2-POLICY
match fvrf any
proposal IKEv2-PROPOSAL
!
crypto ikev2 keyring IKEv2-KEYRING
peer TO-CENT
address 172.16.33.130
identity fqdn cent-ops-ie-01.domain.com
pre-shared-key cisco123
!
peer TO-HPNX
address 172.16.10.130
identity fqdn hpnx-ops-ie-01.domain.com
pre-shared-key cisco123
!
!
crypto ikev2 profile IKEv2-PROFILE-CENT
match identity remote fqdn domain domain.com
identity local fqdn cacc-ops-ie-01.domain.com
authentication local pre-share
authentication remote pre-share
keyring local IKEv2-KEYRING
!
crypto ikev2 profile IKEv2-PROFILE-HPNX
match identity remote fqdn domain domain.com
identity local fqdn cacc-ops-ie-01.domain.com
authentication local pre-share
authentication remote pre-share
keyring local IKEv2-KEYRING
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile TUNNEL-PROFILE-CENT
set transform-set MYSET
set ikev2-profile IKEv2-PROFILE-CENT
!
crypto ipsec profile TUNNEL-PROFILE-HPNX
set transform-set MYSET
set ikev2-profile IKEv2-PROFILE-HPNX
!
interface Tunnel108
description <== Datacenter Connection to HPNX ==>
ip address 10.254.1.33 255.255.255.252
ip ospf authentication key-chain OSPF-KEY-CHAIN
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 172.16.10.130
tunnel protection ipsec profile TUNNEL-PROFILE-HPNX
!
interface Tunnel109
description <== Datacenter Connection to CENT ==>
ip address 10.254.1.37 255.255.255.252
ip ospf authentication key-chain OSPF-KEY-CHAIN
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 172.16.33.130
tunnel protection ipsec profile TUNNEL-PROFILE-CENT
!

Everyone's tags (3)
2 REPLIES 2
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: IKEv2 Consolidation

Hi, what is your query here exactly?
If you want a suggestion, you could possibly run a DVTI instead of 2 x tunnel interfaces, then you could use just 1 ipsec profile and 1 ikev2 profile, this would reduce the configuration complexity and easily allow for additional tunnels to be terminated on the hub router.

HTH
Highlighted
Rising star

Re: IKEv2 Consolidation

to add what RJI said you need ASA version 9.8 in order to run/config the VTI to consolidate your configuration. 

please do not forget to rate.