10-24-2013 08:42 AM
I was looking at this example and did not get a clear explanation as to the use of the
tunnel-group DefaultL2LGroup
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml
Why is the pre-shared-key * different from the spoke preshared key of cisco123 ? Is this a wild card to accept any
key pass from the spoke? Can this be define or is it set as it is? I don't see the advantage if it is "accept any".
Thanks,
Pete
Solved! Go to Solution.
10-24-2013 11:09 AM
Pete,
"*" is how ASA will display any key, it's obfuscated when you list running configuration.
bsns-asa5505-19# conf t
bsns-asa5505-19(config)# tunnel-group BERN ipsec-attributes
bsns-asa5505-19(config-tunnel-ipsec)# ikev1 pre-shared-key 1234556778
bsns-asa5505-19(config-tunnel-ipsec)# sh run tunnel-group BERN ipsec-attri
tunnel-group BERN type remote-access
tunnel-group BERN ipsec-attributes
ikev1 pre-shared-key *****
There's no "accept any" in IKE since that key will be used to protect and decode IKE identities.
Also, have a look into tunnel-group mapping.
At a glance the Default tunnel groups are used as last ditch effort in matching. I.e. they will accomodate most peers with dynamic IPs (or unspecified).
M.
10-24-2013 11:09 AM
Pete,
"*" is how ASA will display any key, it's obfuscated when you list running configuration.
bsns-asa5505-19# conf t
bsns-asa5505-19(config)# tunnel-group BERN ipsec-attributes
bsns-asa5505-19(config-tunnel-ipsec)# ikev1 pre-shared-key 1234556778
bsns-asa5505-19(config-tunnel-ipsec)# sh run tunnel-group BERN ipsec-attri
tunnel-group BERN type remote-access
tunnel-group BERN ipsec-attributes
ikev1 pre-shared-key *****
There's no "accept any" in IKE since that key will be used to protect and decode IKE identities.
Also, have a look into tunnel-group mapping.
At a glance the Default tunnel groups are used as last ditch effort in matching. I.e. they will accomodate most peers with dynamic IPs (or unspecified).
M.
10-24-2013 11:37 AM
LOL. That makes sense . I was use to seeing more "*" as you show it.
My peers will be dynamic so we are going this route.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide