If the lifetimes are not identical, then the ASA uses a shorter lifetime. For IKEv1, the remote peer policy must also specify a lifetime less than or equal to the lifetime in the policy that the initiator sends. Note: An IKEv1 policy match exists when both of the policies from the two peers contain the same authentication, encryption, hash, and Diffie-Hellman parameter values. Tunnel-group 12.12.12.12 ipsec-attributes !Configure the Tunnel group (LAN-to-LAN connection profile) !Configure a crypto map and apply it to outside interfaceĬrypto map outside_map 10 match address asa-strongswan-vpnĬrypto map outside_map 10 set peer 12.12.12.12Ĭrypto map outside_map 10 set ikev1 transform-set tsetĬrypto map outside_map 10 set security-association lifetime seconds 28800 !Configure how ASA identifies itself to the peerĬrypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac !Configure the ACL for the VPN traffic of interestĪccess-list asa-strongswan-vpn extended permit ip object-group local-network object-group remote-network ASA Configuration !Configure the ASA interfaces You can use a ping in order to verify basic connectivity. Note: Ensure that there is connectivity to both the internal and external networks, and especially to the remote peer that is used in order to establish a site-to-site VPN tunnel. Both peers are going to authenticate each other using a Pre-shared-key (PSK). This traffic needs to be encrypted and sent over an IKEv1 tunnel between ASA and stongSwan server. In this setup, PC1 in LAN-A wants to communicate with PC2 in LAN-B.
Palo alto networks vpn to asa multiple tunnels how to#
This section describes how to complete the ASA and strongSwan configurations. If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. The information in this document is based on the following versions: Prerequisites RequirementsĬisco recommends that you have knowledge of these topics: This document describes how to configure a Site-to-Site (LAN-to-LAN) IPSec Internet Key Exchange Version 1 (IKEv1) tunnel via the CLI, between a Cisco Adaptive Security Appliance (ASA) and a strongSwan server.
0 kommentar(er)
