一、定义感兴趣流及绕过NAT
object network remote-net
subnet 10.10.10.0 255.255.255.0
object network local-net
subnet 192.168.10.0 255.255.255.0
access-list VPNTR extended permit ip local-net remote-net
nat (inside,outside) source static local-net local-net remote-net remote-net
二、ISAMP配置
crypto ikev2 enable outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
三、配置隧道
group-policy Site-to-Site internal
group-policy Site-to-Site attributes
vpn-tunnel-protocol ikev2
tunnel-group 209.165.201.1 type ipsec-l2l
tunnel-group 209.165.201.1 general-attributes
default-group-policy Site-to-Site
tunnel-group 209.165.201.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco321
ikev2 local-authentication pre-shared-key cisco123
四、配置转换集
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
五、配置映射
crypto map outside_map0 1 match address VPNTR
crypto map outside_map0 1 set peer 209.165.201.1
crypto map outside_map0 1 set ikev2 ipsec-proposal AES256
crypto map outside_map0 1 set reverse-route
crypto map outside_map0 interface outside