Configure ASA
- Configure the IKEv2 policy. Define the settings according to the supported IPsec parameters. Choose the policy number based on your ASA's existing policies.
- Replace the default device name called
outsidewith the name configured on your device. The device name refers to the public facing interface which the VPN uses to connect.
crypto ikev2 policy 10 encryption aes-gcm-256 integrity null group 19 lifetime seconds 86400 crypto ikev2 enable outside - Replace the default device name called
- Configure the Group Policy and Tunnel Group parameters.
- Enter the IP of a Secure Access data center.
- Replace
\[Portal_Tunnel_Passphrase\]with the Passphrase you configured in the previous section, Add Network Tunnel Group.
group-policy sse-policy internal group-policy sse-policy attributes vpn-tunnel-protocol ikev2 tunnel-group <sse_dc_ip> type ipsec-l2l tunnel-group <sse_dc_ip> general-attributes default-group-policy sse-policy tunnel-group <sse_dc_ip> ipsec-attributes ikev2 remote-authentication pre-shared-key 0 \[Portal_Tunnel_Passphrase\] ikev2 local-authentication pre-shared-key 0 \[Portal_Tunnel_Passphrase\]
Validate that the command crypto isakmp identity is set to the default value "auto" to determine the correct ID Method for ISAKMP Peers. - Configure IPsec proposal and profile parameters.
- Define the settings according to the Supported IPsec parameters.
crypto ipsec ikev2 ipsec-proposal Secure-Access-Ipsec-Proposal protocol esp encryption aes-gcm-256 protocol esp integrity sha-1 crypto ipsec profile Secure_Access set ikev2 ipsec-proposal Secure Access-Ipsec-Proposal ! !Note: below command applies for v9.17+ only set ikev2 local-identity email-id asav917a@6484741-576683214-sse.com
- Define the settings according to the Supported IPsec parameters.
- Create a virtual tunnel interface (VTI).
- Enter the IP of a Secure Access data center.
- Replace the Sample IP with any non-existing IP address that is not being used for a VLAN, subnet or existing VLAN connection in your network.
interface Tunnel1 nameif vti ip address x.x.x.1 255.255.255.0 An unused range tunnel source interface outside tunnel destination<sse_dc_ip> tunnel mode ipsec ipv4 tunnel protection ipsec profile Secure_Access - Configure policy-based routing. In the following examples, the LAN subnet is
192.168.20.0/24and the LAN interface isGigabitEthernet1/2.- Configure PBR to send the internal traffic through the tunnel interface to reach the Secure Access data center.
- Set the IP address in
next-hopto the same subnet assigned to the VTI.
access-list ACL-sse line 1 extended permit ip 192.168.20.0 255.255.255.0 any4 route-map sse-PBR permit 10 match ip address ACL-sse set ip next-hop x.x.x.2 interface GigabitEthernet1/2 policy-route route-map sse-PBR