Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA Dynamic Crypto map

I was looking at this example and did not get a clear explanation as to the use of the

tunnel-group DefaultL2LGroup

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml

Why is the pre-shared-key * different from the spoke preshared key of cisco123 ? Is this a wild card to accept any

key pass from the spoke? Can this be define or is it set as it is? I don't see the advantage if it is "accept any".

Thanks,

Pete

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ASA Dynamic Crypto map

Pete,

"*" is how ASA will display any key, it's obfuscated when you list running configuration.

bsns-asa5505-19#  conf t

bsns-asa5505-19(config)# tunnel-group BERN ipsec-attributes

bsns-asa5505-19(config-tunnel-ipsec)# ikev1 pre-shared-key 1234556778

bsns-asa5505-19(config-tunnel-ipsec)# sh run tunnel-group BERN ipsec-attri

tunnel-group BERN type remote-access

tunnel-group BERN ipsec-attributes

ikev1 pre-shared-key *****

There's no "accept any" in IKE since that key will be used to protect and decode IKE identities.

Also, have a look into tunnel-group mapping.

At a glance the Default tunnel groups are used as last ditch effort in matching. I.e. they will accomodate most peers with dynamic IPs (or unspecified).

M.

2 REPLIES
Cisco Employee

ASA Dynamic Crypto map

Pete,

"*" is how ASA will display any key, it's obfuscated when you list running configuration.

bsns-asa5505-19#  conf t

bsns-asa5505-19(config)# tunnel-group BERN ipsec-attributes

bsns-asa5505-19(config-tunnel-ipsec)# ikev1 pre-shared-key 1234556778

bsns-asa5505-19(config-tunnel-ipsec)# sh run tunnel-group BERN ipsec-attri

tunnel-group BERN type remote-access

tunnel-group BERN ipsec-attributes

ikev1 pre-shared-key *****

There's no "accept any" in IKE since that key will be used to protect and decode IKE identities.

Also, have a look into tunnel-group mapping.

At a glance the Default tunnel groups are used as last ditch effort in matching. I.e. they will accomodate most peers with dynamic IPs (or unspecified).

M.

New Member

ASA Dynamic Crypto map

LOL. That makes sense . I was use to seeing more "*" as you show it.

My peers will be dynamic so we are going this route.

Thanks!

266
Views
0
Helpful
2
Replies
CreatePlease to create content