*********************************************************' Lab 1 - Configuring IPSec LAN - To - LAN using IKEv2 ********************************************************* ----- R1 ----- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-R2 peer R2 address 192.1.20.2 pre-shared-key local Cisco111 pre-shared-key remote Cisco222 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 192.1.20.2 authentication local pre-share authentication remote pre-share keyring local KR-R2 ----------------------------------- ! 2. Phase II ----------------------------------- crypto ipsec transform-set ABC esp-3des esp-sha-hmac ----------------------------------- ! 3. ACL ----------------------------------- access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 ----------------------------------- ! 4. Crypto Map ----------------------------------- crypto map CMAP 10 ipsec-isakmp match address 101 set peer 192.1.20.2 set transform-set ABC set ikev2-profile I2-PROF ---------------------------------------- ! 5. Apply Crypto Map to the interface ---------------------------------------- Interface E0/0 crypto map CMAP ----- R2 ----- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-R1 peer R1 address 192.1.10.1 pre-shared-key remote Cisco111 pre-shared-key local Cisco222 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 192.1.10.1 authentication local pre-share authentication remote pre-share keyring local KR-R1 ----------------------------------- ! 2. Phase II ----------------------------------- crypto ipsec transform-set ABC esp-3des esp-sha-hmac ----------------------------------- ! 3. ACL ----------------------------------- access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ----------------------------------- ! 4. Crypto Map ----------------------------------- crypto map CMAP 10 ipsec-isakmp match address 101 set peer 192.1.10.1 set transform-set ABC set ikev2-profile I2-PROF ---------------------------------------- ! 5. Apply Crypto Map to the interface ---------------------------------------- Interface E0/0 crypto map CMAP *********************************************************' Lab 2 - Configuring S-VTI using IKEv2 ********************************************************* ----- R3 ----- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-R4 peer R4 address 192.1.40.4 pre-shared-key Cisco111 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 192.1.40.4 authentication local pre-share authentication remote pre-share keyring local KR-R4 ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel interface Interface Tunnel1 ip address 192.168.1.3 255.255.255.0 tunnel source E0/0 tunnel destination 192.1.40.4 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R4 ----- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-R3 peer R3 address 192.1.30.3 pre-shared-key Cisco111 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 192.1.30.3 authentication local pre-share authentication remote pre-share keyring local KR-R3 ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel interface Interface Tunnel1 ip address 192.168.1.4 255.255.255.0 tunnel source E0/0 tunnel destination 192.1.30.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ********************************************************* Lab 3 - Configuring DMVPN-Phase III using IKEv2 ********************************************************* -------------------- R1-Routing Hub-NHS -------------------- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-ALL peer ALL address 0.0.0.0 pre-shared-key Cisco123 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KR-ALL ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac mode transport ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel interface Interface Tunnel1 ip address 192.168.1.1 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map multicast dynamic no ip split-horizon eigrp 123 ip nhrp redirect tunnel protection ipsec profile IPROF ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 -------------------- R2-Client/Spoke -------------------- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-ALL peer ALL address 0.0.0.0 pre-shared-key Cisco123 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KR-ALL ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac mode transport ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel interface Interface Tunnel1 ip address 192.168.1.2 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ip nhrp shortcut tunnel protection ipsec profile IPROF ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 -------------------- R3-Client/Spoke -------------------- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-ALL peer ALL address 0.0.0.0 pre-shared-key Cisco123 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KR-ALL ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac mode transport ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel interface Interface Tunnel1 ip address 192.168.1.3 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ip nhrp shortcut tunnel protection ipsec profile IPROF ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 -------------------- R4-Client/Spoke -------------------- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-ALL peer ALL address 0.0.0.0 pre-shared-key Cisco123 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KR-ALL ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac mode transport ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel interface Interface Tunnel1 ip address 192.168.1.4 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ip nhrp shortcut tunnel protection ipsec profile IPROF ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 -------------------- R4-Client/Spoke -------------------- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-ALL peer ALL address 0.0.0.0 pre-shared-key Cisco123 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KR-ALL ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac mode transport ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel interface Interface Tunnel1 ip address 192.168.1.5 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ip nhrp shortcut tunnel protection ipsec profile IPROF ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 *********************************************************' Lab 4 - Flex VPN - P2P using DVTI/SVTI ********************************************************* ----- R1 ----- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-R2 peer R2 address 0.0.0.0 pre-shared-key Cisco111 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KR-R2 ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel Template interface Interface Loopback99 ip address 192.168.1.1 255.255.255.0 ! Interface virtual-template 1 type tunnel ip unnumbered Loopback99 tunnel source E0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! crypto ikev2 profile I2-PROF virtual-template 1 ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R2 ----- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-R1 peer R1 address 192.1.10.1 pre-shared-key Cisco111 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 192.1.10.1 authentication local pre-share authentication remote pre-share keyring local KR-R1 ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel interface Interface Tunnel1 ip address 192.168.1.2 255.255.255.0 tunnel source E0/0 tunnel destination 192.1.10.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 *********************************************************' Lab 5 - Flex VPN - P2MP - Direct Spoke-to-Spoke - NHRP ********************************************************* ------------ R5 - Hub ------------ ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-ALL peer ALL address 0.0.0.0 pre-shared-key Cisco111 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KR-ALL ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel Template interface Interface Loopback99 ip address 192.168.1.5 255.255.255.0 ! Interface virtual-template 1 type tunnel ip unnumbered Loopback99 tunnel source E0/0 ip nhrp network-id 1 ip nhrp redirect tunnel protection ipsec profile IPROF ! crypto ikev2 profile I2-PROF virtual-template 1 ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ! 6. Configure an IKEv2 Authorization Policy to push Tunnel IP's and NHRP Mappings ! 6A. Configure an IP Pool for the Tunnel IP's ip local pool FLEX 192.168.1.11 192.168.1.200 ! 6B. Configure an IKEv2 Authoriation Policy to push the Tunnel IP's and NHRP Mappings aaa new-model aaa authorization network default local ! crypto ikev2 authorization policy default pool FLEX route set interface ! 6C. Link the Authorization policy to the IKEv2 Profile crypto ikev2 profile I2-PROF aaa authorization group override psk list default default ---------------- R3/R4 - Spokes ---------------- ----------------------------------- ! 1. Phase I ----------------------------------- ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR-ALL peer ALL address 0.0.0.0 pre-shared-key Cisco111 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KR-ALL ! 2. Phase II crypto ipsec transform-set ABC esp-aes esp-sha-hmac ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile I2-PROF ! 4. Tunnel Template interface Interface Tunnel 1 ip address negotiated tunnel source E0/0 tunnel destination 192.1.50.5 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel protection ipsec profile IPROF ! Interface virtual-template 1 type tunnel ip unnumbered Tunnel1 tunnel source E0/0 ip nhrp network-id 1 ip nhrp shortcut tunnel protection ipsec profile IPROF ! crypto ikev2 profile I2-PROF virtual-template 1 ! 5. Routing router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ! 6. Configure an IKEv2 Authorization Policy for NHRP Mappings ! 6A. Configure an IKEv2 Authoriation Policy to push the Tunnel IP's and NHRP Mappings aaa new-model aaa authorization network default local ! crypto ikev2 authorization policy default route set interface ! 6B. Link the Authorization policy to the IKEv2 Profile crypto ikev2 profile I2-PROF aaa authorization group override psk list default default ************************************************************** Lab 6 - LAN-To-LAN - R4-R6 Thru the ASA Firewall - No NAT-T ************************************************************** ------------ R4 ------------ ! 1. Phase I crypto isakmp policy 10 auth pre-share hash md5 encryption 3des group 2 crypto isakmp key Cisco123 address 192.1.60.6 ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.4.4.0 0.0.0.255 10.6.6.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP 10 ipsec-isakmp match address 101 set peer 192.1.60.6 set transform-set ABC ! 5. Apply Interface E0/0 crypto map CMAP ------------ R6 ------------ ! 1. Phase I crypto isakmp policy 10 auth pre-share hash md5 encryption 3des group 2 crypto isakmp key Cisco123 address 192.1.24.4 ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.6.6.0 0.0.0.255 10.4.4.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP 10 ipsec-isakmp match address 101 set peer 192.1.24.4 set transform-set ABC ! 5. Apply Interface E0/0 crypto map CMAP ------ ASA ------ access-list OUTSIDE permit udp host 192.1.24.4 host 192.1.60.6 eq 500 access-list OUTSIDE permit esp host 192.1.24.4 host 192.1.60.6 ! access-group OUTSIDE in interface Outside ************************************************************** Lab 7 - LAN-To-LAN - R3-R7 Thru the ASA Firewall - with NAT-T ************************************************************** ------------ ASA ------------ object network R7 host 192.168.70.7 nat (DMZ-7,Outside) static 192.1.20.7 ------------ R3 ------------ ! 1. Phase I crypto isakmp policy 10 auth pre-share hash md5 encryption 3des group 2 crypto isakmp key Cisco123 address 192.1.20.7 ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.3.3.0 0.0.0.255 10.7.7.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP 10 ipsec-isakmp match address 101 set peer 192.1.20.7 set transform-set ABC ! 5. Apply Interface E0/0 crypto map CMAP ------------ R7 ------------ ! 1. Phase I crypto isakmp policy 10 auth pre-share hash md5 encryption 3des group 2 crypto isakmp key Cisco123 address 192.1.23.3 ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.7.7.0 0.0.0.255 10.3.3.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP 10 ipsec-isakmp match address 101 set peer 192.1.23.3 set transform-set ABC ! 5. Apply Interface E0/0 crypto map CMAP ------ ASA ------ access-list OUTSIDE permit udp host 192.1.23.3 host 192.168.70.7 eq 500 access-list OUTSIDE permit udp host 192.1.23.3 host 192.168.70.7 eq 4500 ********************************************************* Lab 8 - LAN-To-LAN - R5-To-ASA (IKEv1) - To the Firewall ********************************************************* ------------ R5 ------------ ! 1. Phase I crypto isakmp policy 10 auth pre-share hash md5 encryption 3des group 2 crypto isakmp key Cisco123 address 192.1.20.10 ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.5.5.0 0.0.0.255 10.1.1.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP 10 ipsec-isakmp match address 101 set peer 192.1.20.10 set transform-set ABC ! 5. Apply Interface E0/0 crypto map CMAP ------------ ASA ------------ ! 0. Enable the IKEv1 Service on the Interface crypto ikev1 enable outside ! 1. Phase I crypto ikev1 policy 10 auth pre-share hash md5 encryption 3des group 2 ! tunnel-group 192.1.25.5 type ipsec-l2l tunnel-group 192.1.25.5 ipsec-attribute ikev1 pre-shared-key Cisco123 ! 2. Phase II crypto ipsec ikev1 transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list R5 permit ip 10.1.1.0 255.255.255.0 10.5.5.0 255.255.255.0 ! 4. Crypto Map crypto map CMAP 10 match address R5 crypto map CMAP 10 set peer 192.1.25.5 crypto map CMAP 10 set ikev1 transform-set ABC ! 5. Apply crypto map CMAP interface Outside ********************************************************* Lab 9 - LAN-To-LAN - R4-To-ASA (IKEv2) - To the Firewall ********************************************************* ------------ R4 ------------ ! 1A. Configure an IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha1 group 2 5 ! 1B. Configure an IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Configure an IKEv2 Keyring crypto ikev2 keyring KR1 peer ASA address 192.1.20.10 pre-shared-key remote Cisco111 pre-shared-key local Cisco222 ! 1D. Configure an IKEv2 Profile crypto ikev2 profile I2-PROF match identity remote address 192.1.20.10 authentication local pre-share authentication remote pre-share keyring local KR1 ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP 10 ipsec-isakmp match address 101 set peer 192.1.20.10 set transform-set ABC set ikev2-profile I2-PROF ! 5. Apply Crypto Map to the interface Interface E0/0 crypto map CMAP ------------ ASA ------------ ! 0. Enable the IKEv2 Service on the Interface crypto ikev2 enable outside ! 1. Phase I crypto ikev2 policy 10 prf md5 integrity md5 encryption 3des group 2 ! tunnel-group 192.1.24.4 type ipsec-l2l tunnel-group 192.1.24.4 ipsec-attribute ikev2 local-authentication pre-shared-key Cisco111 ikev2 remote-authentication pre-shared-key Cisco222 ! 2. Phase II crypto ipsec ikev2 ipsec-proposal I2-PROP protocol esp encryption 3des protocol esp integrity sha-1 ! 3. ACL access-list R4 permit ip 10.1.1.0 255.255.255.0 10.4.4.0 255.255.255.0 ! 4. Crypto Map crypto map CMAP 10 match address R4 crypto map CMAP 10 set peer 192.1.24.4 crypto map CMAP 10 set ikev2 ipsec-proposal I2-PROP ! 5. Apply crypto map CMAP interface Outside