ASA crypto map and tunnel group preshared keys

When configuring a Cisco ASA Site-to-Site IKEv2 IPsec VPN, pre-shared keys can optionally be configured for the crypto map as well as for the tunnel group. For the crypto map, this can be done like so:

ASA1(config)# crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2 ASA1(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.2 ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 pre-shared-key Cisco123 ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

The second to last command above sets a pre-shared key of Cisco123 which must be applied on the other end as well.

Similarly, in the tunnel group, a pre-shared key can be applied as well. This can be done like so:

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key CISCO123 ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key CISCO456

In this particular case, this is an asymmetric pre-shared key arrangement, where each end of the tunnel uses a different pre-shared key. The local-authentication pre-shared key must match the remote-authentication pre-shared key of the device on the other end of the tunnel, and visa versa.

https://networklessons.com/cisco/asa-firewall/cisco-asa-site-site-ikev2-ipsec-vpn/

Links to this page: