Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
5
Helpful
3
Replies

Crypto Confusion

mikedeyoung
Level 1
Level 1

‎07-27-2009 03:48 AM - edited ‎03-11-2019 08:59 AM

Have a beginner - intermediate level knowledge of VPN config on ASA and trying to clarify couple things...

First, I've studied "Configuring IPSEC and ISAKMP" doc and compared to my actual ASA config (done by other CCNP). The doc makes no mention of tunnel-groups yet I see l2l tunnel-groups which contain pre-shared-key. Why does doc make no mention of tunnel-groups or pre-shared-keys?

Next, I do not see how these l2l tunne-groups link to their group-policy. How does ASA know which tunnel-group to select when sa negotiation takes place?

Next, remote-access tunnel-groups contain "default-group-policy" command. Also there is "vpn-group-policy" command under username <name> password <pass>. Why? Is one take precedence over other?

Thanks!

-Mike

Labels:
0 Helpful
3 Replies 3

John Blakley
VIP Alumni
VIP Alumni

‎07-27-2009 05:55 AM

Mike,

The tunnel-groups are used to be able to tell the ASA what type of remote access to allow the peer to use. You can have remote access or l2l tunnel-groups. The l2l tunnel group references the ip address of the remote peer, and under this it would have the pre-shared key that has to match on both ends.

The tunnel-group is associated to your crypto map. The l2l tunnel group that has the pre-shared key is for phase 1 negotiations, and phase 2 is done through your transform-sets and ACLs that are applied to your crypto map:

crypto map VPN 10 set peer 5.5.5.5

crypto map VPN 10 match address VPN

crypto map VPN 10 set transform-set VPN

tunnel-group 5.5.5.5 ipsec-l2l

tunnel-group 5.5.5.5 ipsec-attributes

pre-shared-key test

access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

When a request comes in from 5.5.5.5 for 192.168.1.0, then the crypto map that's applied to the outside interface runs through it's sequence numbers to find a match. After it sees 5.5.5.5 as the requesting peer, it tries to match up the key with the tunnel-group. If that matches, then it proceeds to the next steps making sure that the same traffic is encrypted on the other side, transform sets match, etc.

The default-group-policy is a "catch-all" that matches anything that doesn't match the "vpn-group-policy" that you have. If you have a user using "vpn-group-policy", but you have other users that aren't locked into a group, then they'd use the default group policy.

HTH,

John

HTH, John *** Please rate all useful posts ***

mikedeyoung
Level 1
Level 1
In response to John Blakley

‎07-27-2009 07:33 AM

Thanks John.

Helped a lot.

Mike

0 Helpful

jeromecandiff
Level 1
Level 1
In response to mikedeyoung

‎07-27-2009 11:41 AM

Additionally, it appears that the documentation you were reading was using the old 6.x code. Tunnel groups were introduced in 7.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card