Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
5
Helpful
1
Replies

Different IP-addresses used between group-policy and tunnel-group

galied.nanhekhan
Level 1
Level 1

‎07-16-2010 03:18 AM

Hi,

See this configuration:

crypto map VPN_map_1 match address VPN_1
crypto map VPN_map_1 set pfs
crypto map VPN_map_1 set connection-type originate-only
crypto map VPN_map_1 set peer 172.16.1.1
crypto map VPN_map_1 set transform-set ESP-3DES-SHA

group-policy A internal
group-policy A
vpn-tunnel-protocol IPSec
group-lock value 10.0.0.1
pfs enable

tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 general-attributes
default-group-policy A
tunnel-group 172.16.1.1 ipsec-attributes
pre-shared-key 12345

The group-lock value doesn't match, but VPN will work. The question is: will group-policy A be used by the ASA or not?

Very curious,

Galied

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-17-2010 03:22 PM

Group-lock is used for vpn client remote access vpn only. Not for site-to-site vpn tunnel. Hence in your example, group-lock will not be enforced.

Hope that answers your question.

Customers Also Viewed These Support Documents