Cisco Cisco ASA 5555-X Adaptive Security Appliance 문제 해결 가이드
match certificate certmap
identity local dn
authentication remote ecdsa−sig
authentication local ecdsa−sig
pki trustpoint ec_ca
virtual−template 1
Configure IPSec transform set to use Galois Counter Mode (GCM).
crypto ipsec transform−set ESP_GCM esp−gcm
mode transport
Configure the IPSec profile with the parameters previously configured.
crypto ipsec profile default
set transform−set ESP_GCM
set pfs group19
set ikev2−profile default
Configure the tunnel interface:
interface Virtual−Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
Here is the interface configuration:
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet0/1
ip address 172.16.10.1 255.255.255.0
ASA
Use this interface configuration:
interface GigabitEthernet3/0
nameif outside
security−level 0
ip address 10.10.10.2 255.255.255.0
interface GigabitEthernet3/1
nameif inside
security−level 100
ip address 192.168.1.1 255.255.255.0
Enter this access list command in order to define the traffic to be encrypted:
access−list 100 extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
Enter this IPSec proposal command with NGE:
crypto ipsec ikev2 ipsec−proposal prop1
protocol esp encryption aes−gcm
protocol esp integrity null
Cryptography map commands:
crypto map mymap 10 match address 100