ASA 5520 Dynamic IPsec Lan-to-Lan VPN（ios version 8.4.（3））

ASA 5520的ios版本：

Cisco Adaptive Security Appliance Software Version 8.4(3) 

Device Manager Version 6.0(3)

Static site（固定IP站點）:

crypto isakmp policy 5

  authentication pre-share

  encryption aes

  hash sha

  group 2

  lifetime 86400

crypto isakmp enable outside

tunnel-group DefaultL2LGroup ipsec-attributes

  pre-shared-key cisco123

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto dynamic-map ENCDOM-100-DYNMAP 10 set transform-set ESP-AES128-SHA

crypto map outside 100 ipsec-isakmp dynamic ENCDOM-100-DYNMAP

crypto map outside interface outside

由于靜态站點是 crypto dynamic-map，依靠現有的IPsec sa來加密，是以不需要定義感興趣流；

object network LOCAL_SITE

 subnet 172.26.0.0 255.255.0.0

object network REMOTE_SITE

 subnet 172.20.12.0 255.255.255.0

nat (inside,outside) 1 source static LOCAL_SITE LOCAL_SITE destination static REMOTE_SITE REMOTE_SITE

8.4.3版本的NAT排除對IPsec的影響;

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Dynamic site（動态擷取位址的遠端站點）:

crypto isakmp enable outside 

tunnel-group 218.6.244.39 type ipsec-l2l

tunnel-group 218.6.244.39 ipsec-attributes

access-list ENCDOM-100 permit ip 172.20.12.0 255.255.255.0 172.26.0.0 255.255.0.0   //定義感興趣流

crypto map outside 100 match address ENCDOM-100

crypto map outside 100 set peer 218.6.244.39

crypto map outside 100 set transform-set ESP-AES128-SHA

Ikev1特性配置：

crypto isakmp disconnect-notify

該指令含義：

Remote access or LAN-to-LAN sessions can drop for several reasons, such as an ASA shutdown or

reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.

crypto isakmp reload-wait

You can schedule an ASA reboot to occur only when all active sessions have terminated voluntarily. This

feature is disabled by default.

如有不足，歡迎批評指正！