----------------IKEv1---------------------------
NAT配置忽略
//定义网络
object-group network LOCAL_CMB_***
network-object 172.29.41.0 255.255.255.0
network-object 172.29.46.0 255.255.255.0
object-group network REMOTE_CMB_***
network-object 172.16.20.0 255.255.255.0
//放行***流量
access-list ingate extended permit ip object-group LOCAL_CMB_*** object-group REMOTE_CMB_***
//定义感兴趣流
access-list 111 extended permit ip object-group LOCAL_CMB_*** object-group REMOTE_CMB_***
//拒绝***流量备NAT
nat (inside,outside) source static LOCAL_CMB_*** LOCAL_CMB_*** destination static REMOTE_CMB_*** REMOTE_CMB_***
//***配置
----IPsec第一阶段配置
crypto ikev1 policy 100
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 120.133.238.152 type ipsec-l2l
tunnel-group 120.133.238.152 ipsec-attributes
ikev1 pre-shared-key 123456
----IPsec第二阶段配置
crypto ipsec ikev1 transform-set CMB-*** esp-3des esp-md5-hmac
----配置map
crypto map CMB-*** 100 match address 100
crypto map CMB-*** 100 set pfs
crypto map CMB-*** 100 set peer 120.133.238.152
crypto map CMB-*** 100 set ikev1 transform-set CMB_***
crypto map CMB-*** interface outside
crypto ikev1 enable outsideciscoasa ipsec ikev1
原文:https://blog.51cto.com/13251917/2541559
