IPsec vpn缺失密钥环

Question

我们和客户有VPN隧道，他们发送了他们的侧VPN配置，我正在尝试将这个配置放在我的Cisco 5585 (9.x)版本中，它缺少了crypto keyring命令

客户配置(远程)

crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 1
!
!
crypto keyring 1
 pre-shared-key address x.x.x.x key xusbqVUWBKQbbksbGFVVWUHBkiiy829jkh
!
crypto isakmp profile 1
  keyring 1
 self-identity address X.X.X.X
 match identity address X.X.X.X
 no initiate mode
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
!
!
crypto map 1 1 ipsec-isakmp
 set peer X.X.X.X
 set transform-set TSET
 set isakmp-profile 1
 match address 101
 set pfs l

我们有很多其他的隧道，它们都有ikev1，我们也有tunnel-group，也想知道为什么上面的配置没有隧道组。

Answer 1

来自客户的配置是Cisco路由器的Cisco IOS加密配置，它不能与Cisco ASA软件互换。

您将需要采取该配置的相关部分(PSK，对等IP，密码ACL)，并将它们放在思科ASA的配置，就像你现有的隧道。

它可能类似于以下内容：

! Substitute in the crypto map entry nubmer as needed for <###>
! Substitute your peer's IP for <##.##.##.##>

object-group network VPN-LOCAL-<###>
  network-object <LOCAL Network>
  network-object <LOCAL Network>

object-group network VPN-REMOTE-<###>
  network-object <REMOTE Network>
  network-object <REMOTE Network>

access-list <###> permit ip object-group VPN-LOCAL-<###> object-group VPN-REMOTE-<###>
nat (any,OUTSIDE) source static VPN-LOCAL-<###> VPN-LOCAL-<###> destination static VPN-REMOTE-<###> VPN-REMOTE-<###>

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map <your crypto map name> <###> match address <###>
crypto map <your crypto map name> <###> set peer <##.##.##.##>
crypto map <your crypto map name> <###> set transform-set ESP-3DES-MD5
crypto map <your crypto map name> <###> set pfs group1

crypto map <your crypto map name> interface OUTSIDE
crypto isakmp identity address
crypto ikev1 enable OUTSIDE

! This policy may already be in place on your ASA, it's very common.
crypto ikev1 policy ###
  encryption 3des
  hash md5
  group 1

tunnel-group <##.##.##.##> type ipsec-l2l
tunnel-group <##.##.##.##> ipsec-attributes
  ikev1 pre-shared-key <your PSK from the customer config>