×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Are Tunnel Groups per site-to-site VLAN connection?

Answered Question
Nov 22nd, 2013
User Badges:

On my ASA that's been in production for a few years, there are IPEC sit-to-site tunnels setup.


Every client's VPN interface IP is named, example:

name 192.168.1.1 My_Router


And there is an IPSEC transform set configured for the name.


What I'mn wondering is, there are also tunnel groups configured for every connection. The name of some of the tunnel-groups is the IP of the client VPN device. The name of the tunnel is simply a text value, correct? Is the IP that's being used for the name just a value and not being called upon anywhere else where the IP is configured? I need to change an IP address of one of these site-to-site VPNs and I'm concerned because I don't know what role the tunnel-groups play or what is actually looking at their configuration since it doesn't appear that anything else in the config uses the tunnel-group name.


tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 ipsec-attributes

pre-shared-key xxxxxx


Thank you for any help in clearing this up for me!


-----------------

I did some further investigating, It seems that all of my tunnel-groups are linked to my DfltGrpPolicy (System default).


It seems like tunnel-groups aren't doing anything?

Correct Answer by Karsten Iwen about 3 years 8 months ago

In general, the name of the tunnel-group has to be the IP address of the remote peer if you use pre-shared-keys. When an IPSec connection comes in, the ASA uses the IP address to find the right PSK. So if the peer changes, you need to reconfigure the tunnel-group.

You don't need an own transform-set for each connection. I typically only have two or three of them named ESP-AES256-SHA, ESP-AES128-SHA and ESP-3DES-SHA. The names describe whats in the transform-set. These are then applied to all the connections.

The default group policy is fine if you don't have special needs per connections like different VPN-filter.


Sent from Cisco Technical Support iPad App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Karsten Iwen Fri, 11/22/2013 - 11:50
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

In general, the name of the tunnel-group has to be the IP address of the remote peer if you use pre-shared-keys. When an IPSec connection comes in, the ASA uses the IP address to find the right PSK. So if the peer changes, you need to reconfigure the tunnel-group.

You don't need an own transform-set for each connection. I typically only have two or three of them named ESP-AES256-SHA, ESP-AES128-SHA and ESP-3DES-SHA. The names describe whats in the transform-set. These are then applied to all the connections.

The default group policy is fine if you don't have special needs per connections like different VPN-filter.


Sent from Cisco Technical Support iPad App

Mark Mattix Fri, 11/22/2013 - 12:05
User Badges:

Thank you for your response Karsten! I do use Pre-shared keys. Could you help me understand this:


ASA(config)# tunnel-group ?

configure mode commands/options:

  WORD < 65 char  Enter the name of the tunnel group


It seems to me that the name of the tunnel-group is only a text string and not an IP integer value. I was thinking that if it needed to match the tunnel-group to a specific ip it would say something like:


ASA(config)# tunnel-group ?

A.B.C.D     Peer IP address


Thanks for the help!

Karsten Iwen Fri, 11/22/2013 - 12:46
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

an IP address is also a name in this context. But for other VPN-types (remote-access or certificate-based for example) it could also be a real name. But for PSK, the name has to be the IP address of the peer.


Sent from Cisco Technical Support iPad App

Actions

This Discussion