On my ASA that's been in production for a few years, there are IPEC sit-to-site tunnels setup.
Every client's VPN interface IP is named, example:
name 192.168.1.1 My_Router
And there is an IPSEC transform set configured for the name.
What I'mn wondering is, there are also tunnel groups configured for every connection. The name of some of the tunnel-groups is the IP of the client VPN device. The name of the tunnel is simply a text value, correct? Is the IP that's being used for the name just a value and not being called upon anywhere else where the IP is configured? I need to change an IP address of one of these site-to-site VPNs and I'm concerned because I don't know what role the tunnel-groups play or what is actually looking at their configuration since it doesn't appear that anything else in the config uses the tunnel-group name.
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
Thank you for any help in clearing this up for me!
I did some further investigating, It seems that all of my tunnel-groups are linked to my DfltGrpPolicy (System default).
It seems like tunnel-groups aren't doing anything?
In general, the name of the tunnel-group has to be the IP address of the remote peer if you use pre-shared-keys. When an IPSec connection comes in, the ASA uses the IP address to find the right PSK. So if the peer changes, you need to reconfigure the tunnel-group.
You don't need an own transform-set for each connection. I typically only have two or three of them named ESP-AES256-SHA, ESP-AES128-SHA and ESP-3DES-SHA. The names describe whats in the transform-set. These are then applied to all the connections.
The default group policy is fine if you don't have special needs per connections like different VPN-filter.
Sent from Cisco Technical Support iPad App