Доброго дня!
Часть конфига хаба в головном офисе:
Код:
group-policy TunnelGP internal
group-policy TunnelGP attributes
vpn-session-timeout none
vpn-idle-timeout none
vpn-tunnel-protocol ikev2
crypto ipsec profile VTI-Profile
set ikev2 ipsec-proposal AES-256
responder-only
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
ikev2 remote-auth pre-shared-key Secret
ikev2 local-auth pre-shared-key Secret
tunnel-group aaa.aaa.aaa.aaa general-attributes
default-group-policy TunnelGP
tunnel-group bbb.bbb.bbb.bbb type ipsec-l2l
tunnel-group bbb.bbb.bbb.bbb ipsec-attributes
ikev2 remote-auth pre-shared-key Secret
ikev2 local-auth pre-shared-key Secret
tunnel-group bbb.bbb.bbb.bbb general-attributes
default-group-policy TunnelGP
crypto ipsec ikev2 ipsec-proposal AES-256 esp-aes-256 esp-sha-hmac
########VTI Configuration for both WAN circuits
int Tunnel1
nameif VTI_1
ip address 172.16.250.102 255.255.255.0
tunnel source interface outside
tunnel destination aaa.aaa.aaa.aaa
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI-Profile
int Tunnel2
nameif VTI_2
ip address 172.17.250.102 255.255.255.0
tunnel source interface outside_backup
tunnel destination bbb.bbb.bbb.bbb
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI-Profile
crypto ikev2 policy 2018
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev2 enable outside_backup
Таких туннелей нужно много. Понимаю, что конфиги int TunnelХХ не сократить, но может быть можно как-то собрать части tunnel-group aaa.aaa.aaa.aaa в одну запись? Настройки каждой такой группы идентичны, хаб является responder-only. Хочется что-то типа Dynamic crypto map.
Заранее благодарен.