Different IP-addresses used between group-policy and tunnel-group

Unanswered Question
Jul 16th, 2010
User Badges:

Hi,


See this configuration:


crypto map VPN_map_1 match address VPN_1
crypto map VPN_map_1 set pfs
crypto map VPN_map_1 set connection-type originate-only
crypto map VPN_map_1 set peer 172.16.1.1
crypto map VPN_map_1 set transform-set ESP-3DES-SHA


group-policy A internal
group-policy A
vpn-tunnel-protocol IPSec
group-lock value 10.0.0.1
pfs enable


tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 general-attributes
default-group-policy A
tunnel-group 172.16.1.1 ipsec-attributes
pre-shared-key 12345


The group-lock value doesn't match, but VPN will work. The question is: will group-policy A be used by the ASA or not?


Very curious,


Galied

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Sat, 07/17/2010 - 15:22
User Badges:
  • Cisco Employee,

Group-lock is used for vpn client remote access vpn only. Not for site-to-site vpn tunnel. Hence in your example, group-lock will not be enforced.


Hope that answers your question.

Actions

This Discussion