08-04-2010 09:57 AM - edited 03-11-2019 11:21 AM
This client needs to create a vpn ( ipsec )tunnel using two asa'a. I had a cisco documentation link being posted by one of the learned posters here.
This link shows the configuration with a tunnel group. I came across another general site, which shows one without a tunnel group using asa's.
Please help which one is better and appreciate if i could understand why.
Thank You.
Solved! Go to Solution.
08-04-2010 11:14 PM
thsts a deprecated command
however i tried it out in my lab just to see what would happen, it took the commadn but this is what it made by default
ASA-1(config)# crypto isakmp key cisco address x.x.x.x
ASA-1(config)# sh run tunn
ASA-1(config)# sh run tunnel-group
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
so you can clearly see it took the command but it did not like it
while you try to put the command it does say that it is deprecated
So to summarize ----------------------- always use tunnel-group : )
08-04-2010 10:32 AM
Hello,
The tunnel-group is needed for at least some of the basic tunnel attributes. This document will explain the minimum tunnel-group settings needed for a site-to-site tunnel:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/site2sit.html#wp1042423
Hope that helps.
-Mike
08-04-2010 11:49 AM
on asa you will need tunnel group to enter atleast the pre-shared key
so if there is no tunnel group for a particular peer it falls on the default tunnel group
08-04-2010 05:07 PM
to create a preshared key, would "crypto isakmp 'KEY' test address X.X.X.X" be sufficient if i dont use the tunnel group.
will this cause any issues by not using tunnel group.
Thanks!
08-04-2010 11:14 PM
thsts a deprecated command
however i tried it out in my lab just to see what would happen, it took the commadn but this is what it made by default
ASA-1(config)# crypto isakmp key cisco address x.x.x.x
ASA-1(config)# sh run tunn
ASA-1(config)# sh run tunnel-group
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
so you can clearly see it took the command but it did not like it
while you try to put the command it does say that it is deprecated
So to summarize ----------------------- always use tunnel-group : )
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: