Cisco ASA Site To Site VPN IKEv2 “Using CLI”

KB ID 0001429


You want a secure IPSEC VPN between two sites using IKEv2.

Note: If the device you are connecting to does not support IKEv2 (i.e. its not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article;

Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI)

Site to Site VPN


Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMP IKEv2 on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see  “crypto ikev2 enable outside” then you need to issue that command.

PetesASA# show run crypto
crypto ikev2 enable outside << Mines already enabled and its IKE version 2
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA ( that’s going to network behind the VPN device at the other end of the tunnel (

PetesASA(config)#object network Site-A-SN
PetesASA(config)#object network Site-B-SN
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit 
ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN 
destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup

2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

PetesASA(config)# tunnel-group type ipsec-l2l
PetesASA(config)# tunnel-group ipsec-attributes
PetesASA(config-tunnel-ipsec)# pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# local-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
PetesASA(config-tunnel-ipsec)# exit

3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established. It sets the encryption type (AES-256), the hashing/integrity algorithm (SHA-256), The Diffie Hellman group exchange version, and the Level of PRF (Pseudo Random Function). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (That’s 1440 Minutes – or 24 hours if your still confused 🙂 ).

PetesASA(config)# crypto ikev2 policy 10
PetesASA(config-ikev1-policy)# encryption aes-256
PetesASA(config-ikev1-policy)# integrity sha256
PetesASA(config-ikev1-policy)# group 19
PetesASA(config-ikev1-policy)# prf sha256
PetesASA(config-ikev1-policy)# lifetime 86400

4. We stated above that we are going to use AES-256 and SHA-256, for Phase 1, so let’s use the same for the IPSEC proposal (Phase 2), ‘Transform Set’.

PetesASA(config)# crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config-ipsec-proposal)# protocol esp encryption aes-256
PetesASA(config-ipsec-proposal)# protocol esp integrity sha-1

5. Finally we need to create a “Cryptomap”, this is the ‘thing’ that fires up the tunnel, when the ACL INTERESTING TRAFFIC is used, it also defines the transform set for “Phase 2” of the VPN Tunnel, that will also use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.

PetesASA(config)# crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map CRYPTO-MAP 1 set peer
PetesASA(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config)# crypto map CRYPTO-MAP interface outside

5. Don’t forget to save your hard work with a “write mem” command.

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site IKEv2 VPN Copy and Paste Config

Note: This uses AES-256 and SHA-256. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
object network OBJ-SITE-A
object network OBJ-SITE-B

access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside

Simply change the values in red where;

  • is the network behind the ASA you are working on.
  • is the destination network behind the device you are connecting to.
  • is the peer IP address of the device you are attempting to connect to.
  • 1234567 Is the shared secret you will use at both ends.

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Fantastic article Pete. I love coming here because my name is Pete as well 😉

    note: on step 2, you need to add ‘ikev2’ before the ‘remote-authentication’ and ‘local-authentication’

    a small stumbling block when i used yours as a template, otherwise flawless!

    Thanks for the aticle!

    Post a Reply
  2. Excellent. You are showing routing

    Post a Reply
  3. Hi Pete, great article. Do you know if this configuration can be applied to an ASA that is already serving remote access client VPNs via Cisco AnyConnect? Im worried as some of the configs are already in place and i dont want to add them again causing an outage.

    Post a Reply
    • Yes of course, that will be fine, the only time an ASA has a problem running multiple VPN types is is its at a branch site and running EZVPN.

      Post a Reply
      • Hmm, unfortunately not.

        When you apply the following from your config:

        crypto map CRYPTO-MAP interface outside

        It wipes out the existing crypto map for Anyconnect on the outside interface.

        Post a Reply
        • Anyconenct does not use crypto maps, they are for ISAKMP VPNs? It will replace an existing crpyto map is one exists.

          Post a Reply
          • Hi Pete. You’re correct I’ve solved that issue now, many thanks.

            One last thing I’m having a problem with is pinging. My client devices on the remote end seem to pass most traffic fine with the domain (DNS, HTTPS etc etc) but for some reason I can’t ping over the vpn from LAN to LAN. I’m guessing it’s an issue with ICMP, but I’ve added ICMP within the interesting traffic acl.

            Any ideas?

          • Is ‘inspect icmp’ on the default inspection map?

  4. Hi Pete
    If I dont create a new Group policy when configuring IKEv2 will it drop the exsisting IKEv1 Tunnels,

    also can I just edit IKEv1 crypto maps etc when I want to migrate from IKEv1 to IKEv2.???

    or is it better to start from scratch when migrating to IKEv2 ???


    Post a Reply
  5. Hey Pete, Do you have an example of the config when you have multiple sub nets on both sides? Can we just use object-group for all the lines instead? Would that run into an issue with the Nat statement or ACL?

    Post a Reply
    • That’s a great question! yes you can use object groups and group them together for use in Nat statements, I didn’t like to do this because I originally assumed that either it would be a problem, or hard to troubleshoot, but it works fine 🙂 I’ve done another post on adding a subnet to a VPN somewhere!

      Post a Reply
  6. Hi Pete,

    This is a great article, I’ve just set up a new IKEv2 tunnel and I wanted to query the following line.

    protocol esp integrity sha-1

    In your article you said lets assume for Phase2 we use AES-256 and SHA-256 which was precisely what I was looking to do but only having the “sha-1” option caught me out.

    Will this use SHA-256 or Sha-1 ?

    Post a Reply
    • For Phase it is 🙂 this is for IPSEC (the two tunnels that get created inside the ISAKMP Tunnel) look see…..

      Petes-ASA(config-ipsec-proposal)# protocol esp integrity ?

      ipsec-proposal mode commands/options:
      md5 set hash md5
      null set hash null
      sha-1 set hash sha-1

      are your only options 🙂


      Post a Reply
  7. Hi Pete!

    I created several ikev2 Site2Site tunnels in one of my routers which is supposed to be the central router for a service provider. One of the tunnel survives while the other 2 dont stay up for long. Do you know why this happens?

    Post a Reply
  8. Why use this instead of route based with the tunnel interfaces?

    Post a Reply
    • Because not all versions of ASA support VTI interfaces m8.


      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *