Cisco ASA 5510 Configuration for Remote Access IPsec VPNs

The following CLI example shows how to configure a remote access IPsec/IKEv1 VPN


msa(config)# crypto ikev1 policy 10 
msa(config-ikev1-policy)# authentication pre-share
msa(config-ikev1-policy)# encryption aes-256
msa(config-ikev1-policy)# hash sha
msa(config-ikev1-policy)# group 2
msa(config)# crypto ikev1 enable outside
msa(config)# ip local pool ANYPOOLNAME 192.168.0.10-192.168.0.15
msa(config)# username testuser1 password 87654321
msa(config)# crypto ipsec ikev1 transform set AES256-SHA 
esp-aes-256 esp-sha-hmac
msa(config)# tunnel-group ANYGROUPNAME type remote-access
msa(config)# tunnel-group ANYGROUPNAME general-attributes
msa(config-general)# address-pool ANYGROUPNAME
msa(config)# tunnel-group ANYGROUPNAME ipsec-attributes
msa(config-ipsec)# ikev1 pre-shared-key ravpnkey
msa(config)# crypto dynamic-map DYNMAP 1 set ikev1 
transform-set AES256-SHA
msa(config)# crypto dynamic-map DYNMAP 1 set reverse-route
msa(config)# crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
msa(config)# crypto map CMAP interface outside

The following CLI example shows how to configure a remote access IPsec/IKEv2 VPN


msa(config)# crypto ikev2 policy 1 
msa(config-ikev2-policy)# group 2
msa(config-ikev2-policy)# integrity sha512
msa(config-ikev2-policy)# prf sha512
msa(config)# crypto ikev2 enable outside
msa(config)# ip local pool ANYPOOLNAME 192.168.0.10-192.168.0.15
msa(config)# username testuser1 password 87654321
msa(config)# crypto ipsec ikev2 ipsec-proposal  AES256-SHA512 
msa(config-ipsec-proposal)# protocol esp encryption  aes-256
msa(config-ipsec-proposal)# protocol esp integrity sha-512 
msa(config)# tunnel-group GROUPNAME type remote-access
msa(config)# tunnel-group GROUPNAME general-attributes
msa(config-general)# address-pool ANYPOOLNAME
msa(config)# tunnel-group GROUPNAME ipsec-attributes
msa(config-tunnel-ipsec)# ikev2 local-authentication 
pre-shared-key localravpnkey
msa(config-tunnel-ipsec)# ikev2 remote-authentication 
pre-shared-key remoteravpnkey
msa(config)# crypto dynamic-map DYNMAP 1 set ikev2 
ipsec-proposal AES256-SHA512
msa(config)# crypto dynamic-map DYNMAP 1 set reverse-route
msa(config)# crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
msa(config)# crypto map CMAP interface outside

Leave a Comment