cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
790
Views
0
Helpful
2
Replies

IKEv2 Consolidation

krogers
Level 1
Level 1

!
crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 15
!
crypto ikev2 policy IKEv2-POLICY
match fvrf any
proposal IKEv2-PROPOSAL
!
crypto ikev2 keyring IKEv2-KEYRING
peer TO-CENT
address 172.16.33.130
identity fqdn cent-ops-ie-01.domain.com
pre-shared-key cisco123
!
peer TO-HPNX
address 172.16.10.130
identity fqdn hpnx-ops-ie-01.domain.com
pre-shared-key cisco123
!
!
crypto ikev2 profile IKEv2-PROFILE-CENT
match identity remote fqdn domain domain.com
identity local fqdn cacc-ops-ie-01.domain.com
authentication local pre-share
authentication remote pre-share
keyring local IKEv2-KEYRING
!
crypto ikev2 profile IKEv2-PROFILE-HPNX
match identity remote fqdn domain domain.com
identity local fqdn cacc-ops-ie-01.domain.com
authentication local pre-share
authentication remote pre-share
keyring local IKEv2-KEYRING
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile TUNNEL-PROFILE-CENT
set transform-set MYSET
set ikev2-profile IKEv2-PROFILE-CENT
!
crypto ipsec profile TUNNEL-PROFILE-HPNX
set transform-set MYSET
set ikev2-profile IKEv2-PROFILE-HPNX
!
interface Tunnel108
description <== Datacenter Connection to HPNX ==>
ip address 10.254.1.33 255.255.255.252
ip ospf authentication key-chain OSPF-KEY-CHAIN
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 172.16.10.130
tunnel protection ipsec profile TUNNEL-PROFILE-HPNX
!
interface Tunnel109
description <== Datacenter Connection to CENT ==>
ip address 10.254.1.37 255.255.255.252
ip ospf authentication key-chain OSPF-KEY-CHAIN
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 172.16.33.130
tunnel protection ipsec profile TUNNEL-PROFILE-CENT
!

2 Replies 2

Hi, what is your query here exactly?
If you want a suggestion, you could possibly run a DVTI instead of 2 x tunnel interfaces, then you could use just 1 ipsec profile and 1 ikev2 profile, this would reduce the configuration complexity and easily allow for additional tunnels to be terminated on the hub router.

HTH

to add what RJI said you need ASA version 9.8 in order to run/config the VTI to consolidate your configuration. 

please do not forget to rate.