Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
1
Replies

site 2 site vpn connectivity using asa

uzair syed naveed
Level 1
Level 1

‎12-03-2009 08:53 PM

Sir,

    I would like to understand the reason why the below commands are given.

1. crypto ipsec transform-set Name esp-aes esp-sha-hmac

     Here we see that this particular transform set is followed by mulitple options of encryption/authentication protocols.

               first what is the purpose of the transform-set command.

               second, are the protocols mentioned here for encryption / authentication / hashing ?

               three, i happened to find a document which stated that this is used to identify "interesting traffic" , if so, then how does it work

2.tunnel-group 11.11.11.11 type ipsec-l2l
   tunnel-group 11.11.11.11 ipsec-attributes

             what do these two commands do ?

Labels:
0 Helpful
1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

‎12-03-2009 10:52 PM

Hi,

For your first question go over this link, all are answered here - it will help you understand the overall concept of Ipsec standards

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

As for your question on transform set, this defines security protocols   or better said encryption type to be used in the tunnel policy.

The interesting traffic is defined  by the access-list permiting the traffic.

2.tunnel-group 11.11.11.11 type ipsec-l2l
   tunnel-group 11.11.11.11 ipsec-attributes

As for your second question tunnel-group command alone is used for when you want to configure a VPN tunnel , or ssl vpn, or ra vpn follow by a name you chose to reference by, in your case  the tunnel-group is named 11.11.11.11   followed by the type of vpn in your case is a L2L vpn .

Under tunne-group you have other options which are general attribute and Ipsec attributes,   and in each  option there are other configuration categories for the tunnel  , under tunnel-group ipsec-attributes  you have options of defining  configurtations such as pre-share keys and/or  other settings  for the tunnel..    you can always issue a  question mark after you type the command to show what configuration parameters are avilable under that category.

Regards

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents