Cisco Cisco ASA 5512-X Adaptive Security Appliance Guia De Resolução De Problemas

This can be accomplished in these two ways:

The tunnel−group lookup process on the ASA will land the connections based on a certificate field
presented by the spokes.

no tunnel−group−map enable rules

tunnel−group−map enable ou

tunnel−group−map enable ike−id

tunnel−group−map enable peer−ip

tunnel−group−map default−group DefaultRAGroup

• 

Not all users will have a PKI infrastructure. However, the same can still be accomplished using an
aggressive mode parameter as described here:

crypto ipsec transform−set myset esp−3des esp−sha−hmac

crypto ipsec security−association lifetime seconds 28800

crypto ipsec security−association lifetime kilobytes 4608000

crypto dynamic−map mydyn 10 set transform−set myset

crypto map mymap 65535 ipsec−isakmp dynamic mydyn

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre−share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

tunnel−group SPOKE1 type ipsec−l2l

tunnel−group SPOKE1 ipsec−attributes

 pre−shared−key cisco123

tunnel−group SPOKE2 type ipsec−l2l

tunnel−group SPOKE2 ipsec−attributes

 pre−shared−key cisco456

•