https://community.cisco.com/t5/network-security/crypto-confusion/m-p/1303718#M858384 <HTML><HEAD></HEAD><BODY><P>Mike,</P><P></P><P>The tunnel-groups are used to be able to tell the ASA what type of remote access to allow the peer to use. You can have remote access or l2l tunnel-groups. The l2l tunnel group references the ip address of the remote peer, and under this it would have the pre-shared key that has to match on both ends.</P><P></P><P>The tunnel-group is associated to your crypto map. The l2l tunnel group that has the pre-shared key is for phase 1 negotiations, and phase 2 is done through your transform-sets and ACLs that are applied to your crypto map:</P><P></P><P>crypto map VPN 10 set peer 5.5.5.5</P><P>crypto map VPN 10 match address VPN</P><P>crypto map VPN 10 set transform-set VPN</P><P></P><P>tunnel-group 5.5.5.5 ipsec-l2l</P><P>tunnel-group 5.5.5.5 ipsec-attributes</P><P>pre-shared-key test</P><P></P><P>access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0</P><P></P><P>When a request comes in from 5.5.5.5 for 192.168.1.0, then the crypto map that's applied to the outside interface runs through it's sequence numbers to find a match. After it sees 5.5.5.5 as the requesting peer, it tries to match up the key with the tunnel-group. If that matches, then it proceeds to the next steps making sure that the same traffic is encrypted on the other side, transform sets match, etc.</P><P></P><P>The default-group-policy is a "catch-all" that matches anything that doesn't match the "vpn-group-policy" that you have. If you have a user using "vpn-group-policy", but you have other users that aren't locked into a group, then they'd use the default group policy.</P><P></P><P>HTH,</P><P>John</P></BODY></HTML> Mon, 27 Jul 2009 12:55:30 GMT John Blakley 2009-07-27T12:55:30Z https://community.cisco.com/t5/network-security/crypto-confusion/m-p/1303717#M858382 <P>Have a beginner - intermediate level knowledge of VPN config on ASA and trying to clarify couple things...</P><P></P><P>First, I've studied "Configuring IPSEC and ISAKMP" doc and compared to my actual ASA config (done by other CCNP). The doc makes no mention of tunnel-groups yet I see l2l tunnel-groups which contain pre-shared-key. Why does doc make no mention of tunnel-groups or pre-shared-keys? </P><P></P><P>Next, I do not see how these l2l tunne-groups link to their group-policy. How does ASA know which tunnel-group to select when sa negotiation takes place?</P><P></P><P>Next, remote-access tunnel-groups contain "default-group-policy" command. Also there is "vpn-group-policy" command under username &lt;name&gt; password &lt;pass&gt;. Why? Is one take precedence over other?</P><P></P><P>Thanks!</P><P></P><P>-Mike</P> Mon, 11 Mar 2019 15:59:17 GMT https://community.cisco.com/t5/network-security/crypto-confusion/m-p/1303717#M858382 mikedeyoung 2019-03-11T15:59:17Z https://community.cisco.com/t5/network-security/crypto-confusion/m-p/1303718#M858384 <HTML><HEAD></HEAD><BODY><P>Mike,</P><P></P><P>The tunnel-groups are used to be able to tell the ASA what type of remote access to allow the peer to use. You can have remote access or l2l tunnel-groups. The l2l tunnel group references the ip address of the remote peer, and under this it would have the pre-shared key that has to match on both ends.</P><P></P><P>The tunnel-group is associated to your crypto map. The l2l tunnel group that has the pre-shared key is for phase 1 negotiations, and phase 2 is done through your transform-sets and ACLs that are applied to your crypto map:</P><P></P><P>crypto map VPN 10 set peer 5.5.5.5</P><P>crypto map VPN 10 match address VPN</P><P>crypto map VPN 10 set transform-set VPN</P><P></P><P>tunnel-group 5.5.5.5 ipsec-l2l</P><P>tunnel-group 5.5.5.5 ipsec-attributes</P><P>pre-shared-key test</P><P></P><P>access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0</P><P></P><P>When a request comes in from 5.5.5.5 for 192.168.1.0, then the crypto map that's applied to the outside interface runs through it's sequence numbers to find a match. After it sees 5.5.5.5 as the requesting peer, it tries to match up the key with the tunnel-group. If that matches, then it proceeds to the next steps making sure that the same traffic is encrypted on the other side, transform sets match, etc.</P><P></P><P>The default-group-policy is a "catch-all" that matches anything that doesn't match the "vpn-group-policy" that you have. If you have a user using "vpn-group-policy", but you have other users that aren't locked into a group, then they'd use the default group policy.</P><P></P><P>HTH,</P><P>John</P></BODY></HTML> Mon, 27 Jul 2009 12:55:30 GMT https://community.cisco.com/t5/network-security/crypto-confusion/m-p/1303718#M858384 John Blakley 2009-07-27T12:55:30Z https://community.cisco.com/t5/network-security/crypto-confusion/m-p/1303719#M858386 <HTML><HEAD></HEAD><BODY><P>Thanks John.</P><P></P><P>Helped a lot.</P><P></P><P>Mike</P></BODY></HTML> Mon, 27 Jul 2009 14:33:18 GMT https://community.cisco.com/t5/network-security/crypto-confusion/m-p/1303719#M858386 mikedeyoung 2009-07-27T14:33:18Z https://community.cisco.com/t5/network-security/crypto-confusion/m-p/1303720#M858388 <HTML><HEAD></HEAD><BODY><P>Additionally, it appears that the documentation you were reading was using the old 6.x code. Tunnel groups were introduced in 7.0</P></BODY></HTML> Mon, 27 Jul 2009 18:41:51 GMT https://community.cisco.com/t5/network-security/crypto-confusion/m-p/1303720#M858388 jeromecandiff 2009-07-27T18:41:51Z