Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Understanding Group Policy's in CLient VPN's

Hello,

Can someone explain me what exactly the tunnel-group and group-policy does in VPN client configuration. Can someone explain with a simple language not refering to any document as im non-techie guy

below is the configuration i would be very thankfull if you can explain me what exactly each line of config does in helping to connect to client VPN from remote. I know this is part of the configuration but im concerned with these lines..

tunnel-group CiscoVPN_TG type remote-access
tunnel-group CiscoVPN_TG general-attributes
 address-pool Pool_Users
 authentication-server-group TACACS_Servers
default-group-policy CiscoVPN_GP
tunnel-group CiscoVPN_TG ipsec-attributes
ikev1 pre-shared-key (15 Alphanumeric with Special Characters)


group-policy CiscoVPN_GP internal
group-policy CiscoVPN_GP attribute
 dns-server value 8.8.4.4
 vpn-tunnel-protocol ikev1 ikev2
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Restrict_ACL

1 REPLY

Hi Srikanth,Explaining VPN in

Hi Srikanth,

Explaining VPN in complete is bit difficult. But let me try to explain as simple as possible.

 

tunnel-group CiscoVPN_TG type remote-access

<< The above command you are selecting the type of VPN configuration , whether RA or L2L etc. Here it is client to site VPN ( Remote Access) is chossen >>
tunnel-group CiscoVPN_TG general-attributes

<< The above command specifies the generic configuration parameters to be define for the VPN >>
 address-pool Pool_Users

<< VPN Client user will get thye IP address assigned from the specific pool name ( Pool_Users). Some where DHCP would have been created in this name >>
 authentication-server-group TACACS_Servers

<< Users from VPN client will get autheticated through the TACACS/Radius server pointed there. There should be some AAA configuration related to group ( TACACS_Servers) >>
default-group-policy CiscoVPN_GP

<< It defines the default group policy >>
tunnel-group CiscoVPN_TG ipsec-attributes

<< earlier it was generic atrributes for the RA VPN. Now we are getting in to IP Sec Specific attributes >>
ikev1 pre-shared-key (15 Alphanumeric with Special Characters)

<< for VPN Client to VPN Server authentication is done with pre-shared Key. This key should match on the VPN client configuration ( User's PC VPN Application) and VPN Server ( Firewall configuration here) >>
group-policy CiscoVPN_GP internal

<< Group policy can be either internal or external. It defines the user specific attribute.
group-policy CiscoVPN_GP attribute << User Specific Attributes >>
 dns-server value 8.8.4.4

<< DNS Value  for the tunnel >>
 vpn-tunnel-protocol ikev1 ikev2 

<< Internet Key Exchange Protocol Version Specifications IKEV1/2>>
 split-tunnel-policy tunnelspecified

<< Here they want to route only the specific traffic over VPN tunnel. Rest all will take the default path of the end user connection. >>
 split-tunnel-network-list value Restrict_ACL

<< Only allowed subnets / hosts in the ACL line will be allowed through VPN tunnel. Rest all will go through the local gateway >>

 

I hope i have explained for a better understanding.

 

Hope this helps.

24
Views
0
Helpful
1
Replies