Configure the Transform Set (TS), which must involve the keyword IKEv1.Create two objects that have the local and remote subnets and use them for both the crypto Access Control List (ACL) and the NAT statements.Īccess-list 100 extended permit ip object 10.2.2.0_24 object 10.1.1.0_24 In Versions 8.4 and later, objects or object groups can be created that serve as containers for the networks, subnets, host IP addresses, or multiple objects.
It can contain multiple entries if there are multiple subnets involved between the sites. In this example, the traffic of interest is the traffic from the tunnel that is sourced from the 10.2.2.0 subnet to the 10.1.1.0. Create an access list that defines the traffic to be encrypted and tunneled.! Note the IKEv1 keyword at the beginning of the pre-shared-key command.Ĭomplete these steps for the Phase 2 configuration: Tunnel-group 192.168.1.1 ipsec-attributes Create a tunnel group under the IPsec attributes and configure the peer IP address and the tunnel pre-shared key:.!The 1 in the above command refers to the Policy suite priority Create an IKEv1 policy that defines the algorithms/methods to be used for hashing, authentication, Diffie-Hellman group, lifetime, and encryption:.Enter this command into the CLI in order to enable IKEv1 on the outside interface:.Tip: For an IKEv2 configuration example with the ASA, refer to the Site-to-Site IKEv2 Tunnel between ASA and Router Configuration Examples Cisco document.Ĭomplete these steps for the Phase 1 configuration:
Tip: For more information about the differences between the two versions, refer to the Why migrate to IKEv2? section of the Swift Migration of IKEv1 to IKEv2 L2L Tunnel Configuration on ASA 8.4 Code Cisco document. In ASA Versions 8.4 and later, support for both IKEv1 and Internet Key Exchange version 2 (IKEv2) was introduced. Configure Site B for ASA Versions 8.4 and Later
This section describes how to configure the IKEv1 IPsec site-to-site tunnel via the CLI. Review and verify the configuration settings, and then click Finish.
If you configure the peer IP address on Site A, it must be changed to 172.16.1.1. In this example, the peer IP address is set to 192.168.1.1 on Site B. Note: The most recent ASDM versions provide a link to a video that explains this configuration.
Cisco 5510 Series ASA that runs software Version 8.2.The information in this document is based on these software and hardware versions: Encapsulating Security Payload (ESP) IP Protocol 50 for the IPsec data plane.User Datagram Protocol (UDP) 5 for the IPsec control plane.The end-to-end IP connectivity must be established.Prerequisites RequirementsĬisco recommends that these requirements be met before you attempt the configuration that is described in this document: This document describes how to configure an Internet Key Exchange version 1 (IKEv1) IPsec site-to-site tunnel between a Cisco 5515-X Series Adaptive Security Appliance (ASA) that runs software Version 9.2.x and a Cisco 5510 Series ASA that runs software Version 8.2.x.