Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
2
Replies

IKEv2 Consolidation

krogers
Level 1
Level 1

‎01-31-2019 10:16 AM

!
crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 15
!
crypto ikev2 policy IKEv2-POLICY
match fvrf any
proposal IKEv2-PROPOSAL
!
crypto ikev2 keyring IKEv2-KEYRING
peer TO-CENT
address 172.16.33.130
identity fqdn cent-ops-ie-01.domain.com
pre-shared-key cisco123
!
peer TO-HPNX
address 172.16.10.130
identity fqdn hpnx-ops-ie-01.domain.com
pre-shared-key cisco123
!
!
crypto ikev2 profile IKEv2-PROFILE-CENT
match identity remote fqdn domain domain.com
identity local fqdn cacc-ops-ie-01.domain.com
authentication local pre-share
authentication remote pre-share
keyring local IKEv2-KEYRING
!
crypto ikev2 profile IKEv2-PROFILE-HPNX
match identity remote fqdn domain domain.com
identity local fqdn cacc-ops-ie-01.domain.com
authentication local pre-share
authentication remote pre-share
keyring local IKEv2-KEYRING
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile TUNNEL-PROFILE-CENT
set transform-set MYSET
set ikev2-profile IKEv2-PROFILE-CENT
!
crypto ipsec profile TUNNEL-PROFILE-HPNX
set transform-set MYSET
set ikev2-profile IKEv2-PROFILE-HPNX
!
interface Tunnel108
description <== Datacenter Connection to HPNX ==>
ip address 10.254.1.33 255.255.255.252
ip ospf authentication key-chain OSPF-KEY-CHAIN
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 172.16.10.130
tunnel protection ipsec profile TUNNEL-PROFILE-HPNX
!
interface Tunnel109
description <== Datacenter Connection to CENT ==>
ip address 10.254.1.37 255.255.255.252
ip ospf authentication key-chain OSPF-KEY-CHAIN
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 172.16.33.130
tunnel protection ipsec profile TUNNEL-PROFILE-CENT
!

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎01-31-2019 10:23 AM

Hi, what is your query here exactly?
If you want a suggestion, you could possibly run a DVTI instead of 2 x tunnel interfaces, then you could use just 1 ipsec profile and 1 ikev2 profile, this would reduce the configuration complexity and easily allow for additional tunnels to be terminated on the hub router.

HTH
0 Helpful

Sheraz.Salim
VIP
VIP
In response to Rob Ingram

‎01-31-2019 11:05 AM

to add what RJI said you need ASA version 9.8 in order to run/config the VTI to consolidate your configuration. 

please do not forget to rate.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents