IPsec VPN – Missing Crypto Keyring Issue

ciscocisco-asaipsecvpn

We have VPN tunnel with our customer and they sent their side VPN config and i am trying to put that config in my Cisco ASA 5585 (9.x) version and it has missing crypto keyring command

Customer config (remote)

crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 1
!
!
crypto keyring 1
 pre-shared-key address x.x.x.x key xusbqVUWBKQbbksbGFVVWUHBkiiy829jkh
!
crypto isakmp profile 1
  keyring 1
 self-identity address X.X.X.X
 match identity address X.X.X.X
 no initiate mode
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
!
!
crypto map 1 1 ipsec-isakmp
 set peer X.X.X.X
 set transform-set TSET
 set isakmp-profile 1
 match address 101
 set pfs l

We have many other tunnel and they all have ikev1 also we have tunnel-group also wonder why above config doesn't have tunnel-group

Best Answer

The configuration from your customer is a Cisco IOS crypto configuration from a Cisco router, it is not interchangeable with Cisco ASA software.

You will need to take the relevant portions of that configuration (PSK, peer IP, crypto ACL) and put them into a Cisco ASA configuration like your existing tunnels.

It would presumably be similar to the below:

! Substitute in the crypto map entry nubmer as needed for <###>
! Substitute your peer's IP for <##.##.##.##>

object-group network VPN-LOCAL-<###>
  network-object <LOCAL Network>
  network-object <LOCAL Network>

object-group network VPN-REMOTE-<###>
  network-object <REMOTE Network>
  network-object <REMOTE Network>

access-list <###> permit ip object-group VPN-LOCAL-<###> object-group VPN-REMOTE-<###>
nat (any,OUTSIDE) source static VPN-LOCAL-<###> VPN-LOCAL-<###> destination static VPN-REMOTE-<###> VPN-REMOTE-<###>

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map <your crypto map name> <###> match address <###>
crypto map <your crypto map name> <###> set peer <##.##.##.##>
crypto map <your crypto map name> <###> set transform-set ESP-3DES-MD5
crypto map <your crypto map name> <###> set pfs group1

crypto map <your crypto map name> interface OUTSIDE
crypto isakmp identity address
crypto ikev1 enable OUTSIDE

! This policy may already be in place on your ASA, it's very common.
crypto ikev1 policy ###
  encryption 3des
  hash md5
  group 1

tunnel-group <##.##.##.##> type ipsec-l2l
tunnel-group <##.##.##.##> ipsec-attributes
  ikev1 pre-shared-key <your PSK from the customer config>
Related Topic