Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site 2 site vpn connectivity using asa


    I would like to understand the reason why the below commands are given.

1. crypto ipsec transform-set Name esp-aes esp-sha-hmac

     Here we see that this particular transform set is followed by mulitple options of encryption/authentication protocols.

               first what is the purpose of the transform-set command.

               second, are the protocols mentioned here for encryption / authentication / hashing ?

               three, i happened to find a document which stated that this is used to identify "interesting traffic" , if so, then how does it work

2.tunnel-group type ipsec-l2l
   tunnel-group ipsec-attributes

             what do these two commands do ?


Re: site 2 site vpn connectivity using asa


For your first question go over this link, all are answered here - it will help you understand the overall concept of Ipsec standards

As for your question on transform set, this defines security protocols   or better said encryption type to be used in the tunnel policy.

The interesting traffic is defined  by the access-list permiting the traffic.

2.tunnel-group type ipsec-l2l
   tunnel-group ipsec-attributes

As for your second question tunnel-group command alone is used for when you want to configure a VPN tunnel , or ssl vpn, or ra vpn follow by a name you chose to reference by, in your case  the tunnel-group is named   followed by the type of vpn in your case is a L2L vpn .

Under tunne-group you have other options which are general attribute and Ipsec attributes,   and in each  option there are other configuration categories for the tunnel  , under tunnel-group ipsec-attributes  you have options of defining  configurtations such as pre-share keys and/or  other settings  for the tunnel..    you can always issue a  question mark after you type the command to show what configuration parameters are avilable under that category.