cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1406
Views
0
Helpful
1
Replies

Difference between Tunnel Groups and Crypto Maps on ASA?

jkeeffe
Level 2
Level 2

I'm confused when to use a Tunnel Group - if ever - when creating a Lan-2-Lan IPSec VPN tunnel between two ASA-5540s. For standard configuration does one work mainly with Crypto Maps? When does one work with Tunnel Groups?

1 Reply 1

husycisco
Level 7
Level 7

Hi Jim

One can not exist without other. About a L2L tunnel, the crypto map specifies

1)Peer IP

2)Transform set

3)Match ACL (The traffic which will flow through the tunnel, in othe words, the traffic which will trigger this cryptomap to establish the tunnel)

Now devices know who are the endpoints for VPN tunnel, the transform sets that both ends have to use, and the traffic which should flow through the tunnel.

tunnel-group comes in here. It includes pre-shared-key that is going to be used for authentication of both ends, or set certificate if you like, idle timeouts etc also determines if this tunnel a remote access tunnel or a lan to lan, if this is a remote access tunnel, you specify address pool definitions in here and so on.

Here is an example code for establishing a site-to-site

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key xxxxxxxx

crypto map outside_map 10 set peer x.x.x.x

crypto map outside_map 10 set transform-set myset

crypto map outside_map 10 match xxx (Acl Name)

Keep in mind that tunnel-group name must match the remote peer IP address (if this is a lan to lan tunnel)

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: