Руководство По Устранению Ошибки для Cisco Cisco ASA 5505 Adaptive Security Appliance

 match certificate certmap

 identity local dn

 authentication remote ecdsa−sig

 authentication local ecdsa−sig

 pki trustpoint ec_ca

 virtual−template 1

Configure IPSec transform set to use Galois Counter Mode (GCM).

crypto ipsec transform−set ESP_GCM esp−gcm

 mode transport

Configure the IPSec profile with the parameters previously configured.

crypto ipsec profile default

 set transform−set ESP_GCM

 set pfs group19

 set ikev2−profile default

Configure the tunnel interface:

interface Virtual−Template1 type tunnel

 ip unnumbered GigabitEthernet0/0

 tunnel source GigabitEthernet0/0

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile default

Here is the interface configuration:

interface GigabitEthernet0/0

 ip address 10.10.10.1 255.255.255.0

interface GigabitEthernet0/1

 ip address 172.16.10.1 255.255.255.0

Use this interface configuration:

interface GigabitEthernet3/0

 nameif outside

 security−level 0

 ip address 10.10.10.2 255.255.255.0

interface GigabitEthernet3/1

 nameif inside

 security−level 100

 ip address 192.168.1.1 255.255.255.0

Enter this access list command in order to define the traffic to be encrypted:

access−list 100 extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

Enter this IPSec proposal command with NGE:

crypto ipsec ikev2 ipsec−proposal prop1

 protocol esp encryption aes−gcm

 protocol esp integrity null

Cryptography map commands:

crypto map mymap 10 match address 100