hostname ASA1 ! interface Gig 0/0 nameif INSIDE security-level 100 ip address 192.168.1.254 255.255.255.0 no shut ! interface Gig 0/1 nameif OUTSIDE security-level 0 ip address 10.10.10.1 255.255.255.0 no shut ! access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ! route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2 1 ! crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac ! crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2 crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2 crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600 crypto map MY_CRYPTO_MAP interface OUTSIDE ! crypto isakmp identity address crypto ikev1 enable OUTSIDE crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 3600 ! tunnel-group 10.10.10.2 type ipsec-l2l tunnel-group 10.10.10.2 ipsec-attributes ikev1 pre-shared-key test ! end ========================================================================================================== hostname R1 ! no ip routing ! interface Gig 0/0 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto no shut ! ip default-gateway 192.168.1.254 ! end ========================================================================= Troubleshooting: ========================================================================= ASA1# show crypto ikev1 sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.10.10.2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE ASA1# show crypto ipsec sa interface: OUTSIDE Crypto map tag: MY_CRYPTO_MAP, seq num: 10, local addr: 10.10.10.1 access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer: 10.10.10.2 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.10.10.1/0, remote crypto endpt.: 10.10.10.2/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 111BAC69 current inbound spi : 1A666793 inbound esp sas: spi: 0x1A666793 (442918803) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 2, crypto-map: MY_CRYPTO_MAP sa timing: remaining key lifetime (kB/sec): (3915000/3572) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0x111BAC69 (287026281) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 2, crypto-map: MY_CRYPTO_MAP sa timing: remaining key lifetime (kB/sec): (3914999/3572) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA1# ============================================================================