Different IP-addresses used between group-policy and tunnel-group

Unanswered Question
Jul 16th, 2010
User Badges:


See this configuration:

crypto map VPN_map_1 match address VPN_1
crypto map VPN_map_1 set pfs
crypto map VPN_map_1 set connection-type originate-only
crypto map VPN_map_1 set peer
crypto map VPN_map_1 set transform-set ESP-3DES-SHA

group-policy A internal
group-policy A
vpn-tunnel-protocol IPSec
group-lock value
pfs enable

tunnel-group type ipsec-l2l
tunnel-group general-attributes
default-group-policy A
tunnel-group ipsec-attributes
pre-shared-key 12345

The group-lock value doesn't match, but VPN will work. The question is: will group-policy A be used by the ASA or not?

Very curious,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jennifer Halim Sat, 07/17/2010 - 15:22
User Badges:
  • Cisco Employee,

Group-lock is used for vpn client remote access vpn only. Not for site-to-site vpn tunnel. Hence in your example, group-lock will not be enforced.

Hope that answers your question.


This Discussion