I am about to configure a setup with a VPN network for a company. I will be using a ASA 5520 as the VPN concentrator and Cisco 800 series routers at the remote locations (about 200 remote locations).
Now, if i don't want to configure a tunnel group for each of these remote locations, I can use the "DefaultL2LGroup" tunnel-group on the ASA 5520, to specify a pre-shared-key.
This also works fine, but I'm not so confident with using the same pre-shared-key for all remote locations. So now my question is, whether it's possible to create a tunnel-group for a "group" of remote locations. For example if I wanted to use the same pre-shared-key for the first 10 remote locations, and then another pre-shared-key for the next 10 locations - and so forth - WITHOUT having to specify a tunnel-group for every remote location..
There are different ways to build an IPSec tunnel from the remote location to the head end site. You can build a L2L session or you can build an EzVPN (like a Hardware server/client) session to the ASA. EzVPN comes in two flavors, Network Extension Mode and Client Mode.
You can't use pre-shared keys for 10 locations and use another pre-shared for the next 10 locations, etc.. on the same DefaultL2LGroup.
What you can do is, build an EzVPN session from the remote site to the head end side. In this case, you need to build a separate tunnel-group and use the same tunnel group for every location but, use XAUTH (user authentication) through an ACS server (RADIUS authentication) or so and lock the user to a different tunnel-group using a group-policy.
Every tunnel-group needs to a group-policy.
What you can do is, create multiple tunnel-groups but provide only one tunnel-group information to the remote client.
When they authenticate, you can use the user information on the ACS server and pass down a group-policy to which they need to authenticate with and use the group-lock feature on the group-policy and lock the user to a tunnel-group which they should belong to. In this way, the remote clients doesn't have to connect with different tunnel-group information.
Or if you are looking for implementation of different keys to multiple remote peers for security reason, then I would recommend using certificates.
Hope this helps, if I confused you, please let me know.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...