Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Different IP-addresses used between group-policy and tunnel-group

Hi,

See this configuration:

crypto map VPN_map_1 match address VPN_1
crypto map VPN_map_1 set pfs
crypto map VPN_map_1 set connection-type originate-only
crypto map VPN_map_1 set peer 172.16.1.1
crypto map VPN_map_1 set transform-set ESP-3DES-SHA

group-policy A internal
group-policy A
vpn-tunnel-protocol IPSec
group-lock value 10.0.0.1
pfs enable

tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 general-attributes
default-group-policy A
tunnel-group 172.16.1.1 ipsec-attributes
pre-shared-key 12345

The group-lock value doesn't match, but VPN will work. The question is: will group-policy A be used by the ASA or not?

Very curious,

Galied

1 REPLY
Super Bronze

Re: Different IP-addresses used between group-policy and tunnel-

Group-lock is used for vpn client remote access vpn only. Not for site-to-site vpn tunnel. Hence in your example, group-lock will not be enforced.

Hope that answers your question.

191
Views
5
Helpful
1
Replies