Link to home
Create AccountLog in
Avatar of travisryan
travisryanFlag for United States of America

asked on

Dynamic site to site Cisco VPN configuration issues

I'm attempting to set a up a site to site VPN between to Cisco ASAs. One side will have a static IP, the other side will be dynamic. I'd like to use IKEv2 because I've read it uses less bandwidth. I also would like use a named tunnel group and not the default tunnel group. I've found these two guides:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html#anc9

The IKEv2 guide gives me the named tunnel option, but doesn't really break down what the commands in the configuration do. The IKEv1 guide breaks down what all of the commands do, but it's in IKEv1 and it doesn't go over named tunnels. Is there a better guide out there someone has found for creating a Dynamic site to site VPN?
Avatar of Ajay Thorat
Ajay Thorat
Flag of India image

Have a Look ...

what r u trying to achieve with named tunnel group ??

Perfect IKEv2 S2S VPN (Simple)
ASA1
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev2 local-authentication pre-shared-key xyz
ikev2 remote-authentication pre-shared-key xyz
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test interface outside
crypto ikev2 enable outside


ASA2
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev2 local-authentication pre-shared-key xyz
ikev2 remote-authentication pre-shared-key xyz
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto ikev2 enable outside
ASKER CERTIFIED SOLUTION
Avatar of travisryan
travisryan
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of travisryan

ASKER

I had a partner outside of EE help me out.