Cisco ASA VTI VPN Tunnel Example using IKEv2 (9.6 or higher)
!------------------------------------------------------------------------ ! Cisco ASA VTI VPN Tunnel Example using IKEv2 (9.6 or higher) !------------------------------------------------------------------------ ! !----------------------------------------------------------------------- ! ASA1 !----------------------------------------------------------------------- !# Specify an IKEv2 Policy; define the encryption/integrity/PRF algorithms, DH group and SA lifetime ! crypto ikev2 policy [[ikev2-policy-number]] encryption aes-256 integrity sha512 sha384 group 19 14 prf sha512 sha384 lifetime seconds 86400 ! !# Enable IKEv2 on the outside/wan interface ! crypto ikev2 enable [[outside-interface-name]] ! !# Create an IPSec Transform Set, define the encryption and integrity (hashing) algorithms ! crypto ipsec ikev2 ipsec-proposal [[transform-set-name]] protocol esp encryption aes-256 aes-192 protocol esp integrity sha-512 sha-384 sha-256 ! !# Create an IPSec Profile, reference the previously created IPSec Transform Set ! crypto ipsec profile [[ipsec-profile-name]] set ikev2 ipsec-proposal [[transform-set-name]] ! !# Create a Group Policy and ensure IKEv2 is selected an allowed protocol (IKEv2) ! group-policy [[asa-2-ipaddress]] internal group-policy [[asa-2-ipaddress]] attributes vpn-tunnel-protocol ikev2 ! !# Create a Tunnel Group ! tunnel-group [[asa-2-ipaddress]] type ipsec-l2l tunnel-group [[asa-2-ipaddress]] general-attributes default-group-policy [[asa-2-ipaddress]] ! tunnel-group [[asa-2-ipaddress]] ipsec-attributes ikev2 local-authentication pre-shared-key [[psk-asa1-to-asa2]] ikev2 remote-authentication pre-shared-key [[psk-asa2-to-asa1]] ! !# Create a Tunnel Interface ! interface Tunnel[[asa1-tunnel-id]] nameif [[asa1-tunnel-name]] ip address [[tunnel-asa1-ipaddress]] [[tunnel-subnetmask]] tunnel source interface [[outside-interface-name]] tunnel destination [[asa-2-ipaddress]] tunnel mode ipsec ipv4 tunnel protection ipsec profile [[ipsec-profile-name]] ! !# Create static routes to the destination LAN !# You can use dynamic routing protocols if you prefer ! route [[asa1-tunnel-name]] [[asa2-network-ip]] [[asa2-subnet-mask]] [[tunnel-asa2-ipaddress]] ! !----------------------------------------------------------------------- ! ASA2 !----------------------------------------------------------------------- !# Specify an IKEv2 Policy; define the encryption/integrity/PRF algorithms, DH group and SA lifetime ! crypto ikev2 policy [[ikev2-policy-number]] encryption aes-256 integrity sha512 sha384 group 19 14 prf sha512 sha384 lifetime seconds 86400 ! !# Enable IKEv2 on the outside/wan interface ! crypto ikev2 enable [[outside-interface-name]] ! !# Create an IPSec Transform Set, define the encryption and integrity (hashing) algorithms ! crypto ipsec ikev2 ipsec-proposal [[transform-set-name]] protocol esp encryption aes-256 aes-192 protocol esp integrity sha-512 sha-384 sha-256 ! !# Create an IPSec Profile, reference the previously created IPSec Transform Set ! crypto ipsec profile [[ipsec-profile-name]] set ikev2 ipsec-proposal [[transform-set-name]] ! !# Create a Group Policy and ensure IKEv2 is selected an allowed protocol (IKEv2) ! group-policy [[asa-1-ipaddress]] internal group-policy [[asa-1-ipaddress]] attributes vpn-tunnel-protocol ikev2 ! !# Create a Tunnel Group ! tunnel-group [[asa-1-ipaddress]] type ipsec-l2l tunnel-group [[asa-1-ipaddress]] general-attributes default-group-policy [[asa-1-ipaddress]] ! tunnel-group [[asa-1-ipaddress]] ipsec-attributes ikev2 local-authentication pre-shared-key [[psk-asa2-to-asa1]] ikev2 remote-authentication pre-shared-key [[psk-asa1-to-asa2]] ! !# Create a Tunnel Interface ! interface Tunnel[[asa2-tunnel-id]] nameif [[asa2-tunnel-name]] ip address [[tunnel-asa2-ipaddress]] [[tunnel-subnetmask]] tunnel source interface [[outside-interface-name]] tunnel destination [[asa-1-ipaddress]] tunnel mode ipsec ipv4 tunnel protection ipsec profile [[ipsec-profile-name]] ! !# Create static routes to the destination LAN !# You can use dynamic routing protocols if you prefer ! route [[asa2-tunnel-name]] [[asa1-network-ip]] [[asa1-subnet-mask]] [[tunnel-asa1-ipaddress]] !



ikev2-policy-number:
outside-interface-name:
transform-set-name:
ipsec-profile-name:
asa-2-ipaddress:
psk-asa1-to-asa2:
psk-asa2-to-asa1:
asa1-tunnel-id:
asa1-tunnel-name:
tunnel-asa1-ipaddress:
tunnel-subnetmask:
asa2-network-ip:
asa2-subnet-mask:
tunnel-asa2-ipaddress:
asa-1-ipaddress:
asa2-tunnel-id:
asa2-tunnel-name:
asa1-network-ip:
asa1-subnet-mask:


Use this code to post the full script to your own page:



Use this code to post only the variables to your own page: