IKEv2 Site to Site VPN Tunnel on ASA

Network Diagram

Site-A ASA Configuration

object-group network Site-A-Subnets 

object-group network Site-B-Subnets

access-list S2S-VPN-ACL extended permit ip object-group Site-A-Subnets object-group Site-B-Subnets

nat (inside,outside) source static Site-A-Subnets Site-A-Subnets destination static Site-B-Subnets Site-B-Subnets no-proxy-arp route-lookup description VPN NAT EXEMPTION

group-policy GroupPolicy_ikev2 internal
group-policy GroupPolicy_ikev2 attributes
   vpn-tunnel-protocol ikev2

tunnel-group type ipsec-l2l
tunnel-group general-attributes
   default-group-policy GroupPolicy_ikev2
tunnel-group ipsec-attributes
   pre-shared-key 123456
   ikev2 remote-authentication pre-shared-key abcd
   ikev2 local-authentication pre-shared-key efgh

crypto ikev2 policy 50
   encryption aes-256
   integrity sha256
   group 14
   prf sha256
   lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal S2S-VPN-TRANSFORM
   protocol esp encryption aes-256
   protocol esp integrity sha-256

crypto map OUTSIDE_CMAP 80 match address S2S-VPN-ACL
crypto map OUTSIDE_CMAP 80 set peer
crypto map OUTSIDE_CMAP 80 set ikev2 ipsec-proposal S2S-VPN-TRANSFORM
crypto map OUTSIDE_CMAP interface outside
crypto isakmp identity address

crypto ikev2 enable outside


  • Don’t use the “OUTSIDE_CMAP” crypto map name if you already have VPN tunnels on this firewall. Doing this will replace the existing cryptomap that is tied to your outside interface and all the existing VPN tunnels will go down. So, just use different number (like I used 80 here)
  • Configure routes on the firewall for the internal subnets (if not already done)
  • Configure routes for Site-B subnets on Site-A internal network (all the way up to the firewall)
  • Replicate the configuration on Site-B (S2S, routes on firewall and internal network) – the above configuration is for Site-A Firewall. On the Site-B firewall, the source and destination subnets should be inverted in the ACL and NAT. For tunnel-group and peer, use IP address

Leave a Reply

Your email address will not be published. Required fields are marked *