01-30-2011 07:45 AM - edited 03-11-2019 12:42 PM
My question is I cannot tell from the ASA's response if it actually took my no-xauth command
I started with this
tunnel-group 69.X.X.170 type ipsec-l2l
tunnel-group 69.X.X.170 ipsec-attributes
pre-shared-key *****
issued these commands
tunnel-group 69.X.X.170 ipsec-attributes
isakmp peer ip 69.X.X.170 no-xauth
and got this
tunnel-group 69.X.X.170 type ipsec-l2l
tunnel-group 69.X.X.170 general-attributes
tunnel-group 69.X.X.170 ipsec-attributes
pre-shared-key *****
Does the addition of the general-attributes line mean the no-xauth is effective?
Solved! Go to Solution.
01-30-2011 09:33 AM
Hi,
The no xauth is not effective.
By default the tunnel group has some general attributes, hence it will always come in the output of sh tunnel-group.
you need to configure the following to disable the xauth:
ASA(config)#tunnel-group example-group ipsec-attributes
ASA(config-tunnel-ipsec)#isakmp ikev1-user-authentication none
The following link will explain the same.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution21
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved.
02-02-2011 08:42 AM
Hi,
If you read the link a bit more in detail. you will notice the following line:
If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails with "CONF_XAUTH " in the output of the show crypto isakmp sa command.
So by default it will ask for xauth if the above condition is met.
we can check the hidden configuration by the command "sh run all" or if you want to check the same for the tunnel group, you can input "sh run all tunnel-group
Regards,
Anisha
P.S.: please rate helpful posts
01-30-2011 09:33 AM
Hi,
The no xauth is not effective.
By default the tunnel group has some general attributes, hence it will always come in the output of sh tunnel-group.
you need to configure the following to disable the xauth:
ASA(config)#tunnel-group example-group ipsec-attributes
ASA(config-tunnel-ipsec)#isakmp ikev1-user-authentication none
The following link will explain the same.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution21
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved.
01-30-2011 04:43 PM
Thank you!
02-01-2011 05:18 PM
Is it possible to have it show this is enabled somehow?
02-02-2011 08:42 AM
Hi,
If you read the link a bit more in detail. you will notice the following line:
If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails with "CONF_XAUTH " in the output of the show crypto isakmp sa command.
So by default it will ask for xauth if the above condition is met.
we can check the hidden configuration by the command "sh run all" or if you want to check the same for the tunnel group, you can input "sh run all tunnel-group
Regards,
Anisha
P.S.: please rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: