11-16-2017 08:56 AM - edited 03-12-2019 04:44 AM
I am going to configure site to site vpn in my lab ..
i am using two ASA
what are the parameters to match betwween the peers
phase 1 configuration .....
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
whether this should be match on other peer ?
key should be match .... this is one i have confirmed .
tunnel group name or ip should be match or different between the peers..
whether this below parameters should be match between peers ?
access-list name ?
transform set name ?
crypto map name ?
can someone give the answer ..
thanks
Solved! Go to Solution.
11-16-2017 09:12 AM
Hello @vinoth13.c,
You need to match Phase 1 and Phase 2 parameters in order to be able to build the VPN tunnel, you can check this link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html
Now, your configuration on Phase 1 should match the other end and it doesn´t if the numbers are different.
Also, the ACLs - transform-set - crypto map names shoudn´t match, you can have different names on both sides and this should work but if you wanna for documentation purposes or template configuration you can use the same on each device.
HTH
Gio
11-16-2017 09:12 AM
Hello @vinoth13.c,
You need to match Phase 1 and Phase 2 parameters in order to be able to build the VPN tunnel, you can check this link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html
Now, your configuration on Phase 1 should match the other end and it doesn´t if the numbers are different.
Also, the ACLs - transform-set - crypto map names shoudn´t match, you can have different names on both sides and this should work but if you wanna for documentation purposes or template configuration you can use the same on each device.
HTH
Gio
11-16-2017 09:29 AM
thanks for the quick reply .
i have verified the document , in that tunnel-group are configuring as same ip both the peers ?
can you clarify that ..
thanks
11-16-2017 09:35 AM
Hello @vinoth13.c,
Yes, the same IP you used on the crypto map will server as the name on the tunnel-group configuration, if you want to use names you need to change the command "crypto isakmp identity auto"(default) to "crypto isakmp identity hostname/ike-id" but as this is a global command it will affect the rest of the VPN tunnels.
I would suggest to use the IP address instead of names.
HTH
Gio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide