cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
482
Views
0
Helpful
4
Replies

vpn tunnel

suthomas1
Level 6
Level 6

This client needs to create a vpn ( ipsec )tunnel using two asa'a. I had a cisco documentation link being posted by one of the learned posters here.

This link shows the configuration with a tunnel group. I came across another general site, which shows one without a tunnel group using asa's.

Please help which one is better and appreciate if i could understand why.

Thank You.

1 Accepted Solution

Accepted Solutions

thsts a deprecated command

however i tried it out in my lab just to see what would happen, it took the commadn but this is what it made by default

ASA-1(config)# crypto isakmp key cisco address x.x.x.x
ASA-1(config)# sh run tunn
ASA-1(config)# sh run tunnel-group

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2

so you can clearly see it took the command but it did not like it

while you try to put the command it does say that it is deprecated

So to summarize -----------------------  always use tunnel-group : )

View solution in original post

4 Replies 4

mirober2
Cisco Employee
Cisco Employee

Hello,

The tunnel-group is needed for at least some of the basic tunnel attributes. This document will explain the minimum tunnel-group settings needed for a site-to-site tunnel:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/site2sit.html#wp1042423

Hope that helps.

-Mike

on asa you will need tunnel group to enter atleast the pre-shared key

so if there is no tunnel group for a particular peer it falls on the default tunnel group

to create a preshared key, would "crypto isakmp 'KEY' test address X.X.X.X" be sufficient if i dont use the tunnel group.

will this cause any issues by not using tunnel group.

Thanks!

thsts a deprecated command

however i tried it out in my lab just to see what would happen, it took the commadn but this is what it made by default

ASA-1(config)# crypto isakmp key cisco address x.x.x.x
ASA-1(config)# sh run tunn
ASA-1(config)# sh run tunnel-group

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2

so you can clearly see it took the command but it did not like it

while you try to put the command it does say that it is deprecated

So to summarize -----------------------  always use tunnel-group : )

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: