ipsec vpn tunnel…

asa_vpn_topo

before traffic, no security association…

asa_vpn_tun_before_traffic

host1 pings host2, notice the delay

host1_ping_success

asa1 is the intitiator…

asa1_sa_good

as2 is the responder…

asa2_sa_good

the capture…

asa_vpn_isakmp

the config… reverse as needed on the other end…

!asa1 vpn commands

!enable isakmp

crypto isakmp enable outside

!acl

access-list outside-crypto permit ip object inside-net object remote-net

!tunnel group

tunnel-group 22.1.1.1 type ipsec-l2l
tunnel-group 22.1.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 10 retry 2

!phase 1 (key exchange)

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 3600

!phase 2 (tunnel setup)

crypto ipsec transform-set TS esp-3des esp-sha-hmac
crypto map CMAP 1 match address outside-crypto
crypto map CMAP 1 set pfs group1
crypto map CMAP 1 set peer 22.1.1.1
crypto map CMAP 1 set transform-set TS

crypto map CMAP interface outside

!NAT (no nat)

nat (inside,outside) 1 source static inside-net inside-net destination static remote-net remote-net