cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
289
Views
5
Helpful
1
Replies

Different IP-addresses used between group-policy and tunnel-group

Hi,

See this configuration:

crypto map VPN_map_1 match address VPN_1
crypto map VPN_map_1 set pfs
crypto map VPN_map_1 set connection-type originate-only
crypto map VPN_map_1 set peer 172.16.1.1
crypto map VPN_map_1 set transform-set ESP-3DES-SHA

group-policy A internal
group-policy A
vpn-tunnel-protocol IPSec
group-lock value 10.0.0.1
pfs enable

tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 general-attributes
default-group-policy A
tunnel-group 172.16.1.1 ipsec-attributes
pre-shared-key 12345

The group-lock value doesn't match, but VPN will work. The question is: will group-policy A be used by the ASA or not?

Very curious,

Galied

1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

Group-lock is used for vpn client remote access vpn only. Not for site-to-site vpn tunnel. Hence in your example, group-lock will not be enforced.

Hope that answers your question.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: