Solved: tunnel group xauth

lcaruso · ‎01-30-2011

My question is I cannot tell from the ASA's response if it actually took my no-xauth command

I started with this

tunnel-group 69.X.X.170 type ipsec-l2l

tunnel-group 69.X.X.170 ipsec-attributes

pre-shared-key *****

issued these commands

tunnel-group 69.X.X.170 ipsec-attributes

isakmp peer ip 69.X.X.170 no-xauth

and got this

tunnel-group 69.X.X.170 type ipsec-l2l

tunnel-group 69.X.X.170 general-attributes

tunnel-group 69.X.X.170 ipsec-attributes

pre-shared-key *****

Does the addition of the general-attributes line mean the no-xauth is effective?

andamani · ‎01-30-2011

Hi,

The no xauth is not effective.

By default the tunnel group has some general attributes, hence it will always come in the output of sh tunnel-group.

you need to configure the following to disable the xauth:

ASA(config)#tunnel-group example-group ipsec-attributes
ASA(config-tunnel-ipsec)#isakmp ikev1-user-authentication none

The following link will explain the same.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution21

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

View solution in original post

andamani · ‎02-02-2011

Hi,

If you read the link a bit more in detail. you will notice the following line:

If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails with "CONF_XAUTH " in the output of the show crypto isakmp sa command.

So by default it will ask for xauth if the above condition is met.

we can check the hidden configuration by the command "sh run all" or if you want to check the same for the tunnel group, you can input "sh run all tunnel-group ".

Regards,

Anisha

P.S.: please rate helpful posts

View solution in original post

andamani · ‎01-30-2011

Hi,

The no xauth is not effective.

By default the tunnel group has some general attributes, hence it will always come in the output of sh tunnel-group.

you need to configure the following to disable the xauth:

ASA(config)#tunnel-group example-group ipsec-attributes
ASA(config-tunnel-ipsec)#isakmp ikev1-user-authentication none

The following link will explain the same.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution21

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

lcaruso · ‎01-30-2011

Thank you!

lcaruso · ‎02-01-2011

Is it possible to have it show this is enabled somehow?

andamani · ‎02-02-2011

Hi,

If you read the link a bit more in detail. you will notice the following line:

If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails with "CONF_XAUTH " in the output of the show crypto isakmp sa command.

So by default it will ask for xauth if the above condition is met.

we can check the hidden configuration by the command "sh run all" or if you want to check the same for the tunnel group, you can input "sh run all tunnel-group ".

Regards,

Anisha

P.S.: please rate helpful posts