Legacy L2L on Routers IKEv1

1. Crypto isakmp policy

2. Crypto isakmp key or crypto keyring (If keyring is used then call keyring in
isakmp profile)
3. crypto ipsec transform-set
4. interresting traffic access-list
5. Crypto map (you will call three parameters: interesting,peer,transform-set and
isakmp-profile if keyring method was used)
6. apply crypto map to interface
7. check routing (routing should be present for peer address and for interesting
traffic)

Legacy L2L on ASA version 8.2 IKEv1

1. Crypto isakmp policy and enable isakmp on outside interface

2. tunnel-group of type l2l and tunnel-group for ipsec-attributes to define phase 1
key
3. crypto ipsec transform-set
4. interresting traffic access-list
5. Crypto map (you will call three parameters: interesting,peer,transform-set)
6. apply crypto map to interface
7. check routing (routing should be present for peer address and for interesting
traffic)
8. ensure sysopt is enabled
9. ensure nat is not happening for interesting traffic

Legacy L2L on ASA version 8.6/8.4 IKEv1

1. Crypto ikev1 policy and enable ikev1 on outside interface

2. tunnel-group of type l2l and tunnel-group for ipsec-attributes to define phase 1
key using ikev1 pre-shared-key command
3. crypto ipsec transform-set using crypto ipsec ikev1 transform-set command
4. interresting traffic access-list
5. Crypto map (you will call three parameters: interesting,peer, ikev1 transform-
set)
6. apply crypto map to interface
7. check routing (routing should be present for peer address and for interesting
traffic)
8. ensure sysopt is enabled
9. ensure nat is not happening for interesting traffic

Legacy L2L on Routers IKEv1 with ASA version 8.2 in the middle

1. Crypto isakmp policy

2. Crypto isakmp key or crypto keyring (If keyring is used then call keyring in
isakmp profile)
3. crypto ipsec transform-set
4. interresting traffic access-list
5. Crypto map (you will call three parameters: interesting,peer,transform-set and
isakmp-profile if keyring method was used)
6. apply crypto map to interface
7. check routing (routing should be present for peer address and for interesting
traffic)
8. IF NAT is configured or nat-control is configured and requirement does not
require peer to be natted then Self translate
the peer address on ASA and permit udp port 500 and esp.
9. IF NAT is configured or nat-control is configured and requirement says that peer
should be translated then permit udp 4500 and esp

Legacy L2L on Routers IKEv1 with ASA version 8.6/8.4 in the middle

1. Crypto isakmp policy

2. Crypto isakmp key or crypto keyring (If keyring is used then call keyring in
isakmp profile)
3. crypto ipsec transform-set
4. interresting traffic access-list
5. Crypto map (you will call three parameters: interesting,peer,transform-set and
isakmp-profile if keyring method was used)
6. apply crypto map to interface
7. check routing (routing should be present for peer address and for interesting
traffic)
8. IF NAT is configured in some earlier task and requirement does not require peer
to be natted then Self translate
the peer address on ASA and permit udp port 500 and esp.

Legacy L2L on Routers IKEv2 with ASA version 8.6/8.4/8.2 in the middle

1. Crypto ikev2 proposal (Optional as default is there)

2. crypto ikev2 policy which calls the proposal ( (Optional as default is there)
3. crypto ikev2 keyring (Compulsory)
4. crypto ikev2 profile (Compusory. It should have a match identity, authentication
and keyring)
5. crypto ipsec transform-set (Optional)
6. interresting traffic access-list (Compulsory)
7. Crypto map (Compulsory. You will call three parameters:
interesting,peer,transform-set and ikev2 profile)
8. apply crypto map to interface
7. check routing (routing should be present for peer address and for interesting
traffic)
8. IF NAT is configured in some earlier task and requirement does not require peer
to be natted then Self translate the peer address
on ASA and permit udp port 500 and esp.

Legacy L2L on ASA version 8.6/8.4

1. Crypto ikev2 policy and crypto ike2 enable outside

2. tunnel-group of type l2l and tunnel-group for ipsec-attributes to define phase 1
key using ikev2 local and remote pre-shared-key command.
3. crypto ipsec transform-set using crypto ipsec ikev2 ipsec-proposal command
4. interresting traffic access-list
5. Crypto map (you will call three parameters: interesting,peer, ikev2 ipsec-
proposal)
6. apply crypto map to interface
7. check routing (routing should be present for peer address and for interesting
traffic)
8. ensure sysopt is enabled
9. ensure nat is not happening for interesting traffic
EASY VPN IKEV1 on Routers using legacy method

1. aaa new-model and aaa authentication and aaa authorization and username
2. local pool
3. interesting traffic which will be reverse (Use extended)
4. crypto isakmp policy
5. phase 1.5 (call key, pool , acl)
6. phase 2
7. dynamic map (phase 2 and reverse-route)
8. crympto map call dynamicmap
9 cryptomap authentication list
10. crypto map authorization list
11 . crypto map address respond
12 apply to interface