Solved: Re: Tunnel-groups on ASA

CiscoBrownBelt · ‎06-06-2019

Can you use the same tunnel-group for each IPSEC tunnel you have built on the ASA? Basically, I don't see how or what command associates the tunnel-group with a particular IPSEC tunnel see configs below:

ASA1:
crypto ikev2 policy 3
encryption aes
integrity sha
group 3
lifetime seconds 86400
exit
crypto ipsec ikev2 ipsec-proposal PH-4
protocol esp encryption aes-256
protocol esp integrity sha-1
exit
tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
ikev2 local-authentication pre-shared-key ccdp*123
ikev2 remote-authentication pre-shared-key ccdp*123
exit

access-list VPN_SiteB_ACL extended permit ip object-group Internal_LAN object SiteB_Internal_Lan log info
crypto map ASA1-MAP_SiteB 1 match address VPN_SiteB_ACL
crypto map ASA1-MAP_SiteB 1 set peer 20.20.20.20
crypto map ASA1-MAP_SiteB 1 set ikev2 ipsec-proposal PH-4
crypto map ASA1-MAP_SiteB interface Outside
crypto ikev2 enable Outside

sysopt connection permit-vpn

Marvin Rhoads · ‎06-09-2019

The tunnel-group definition has the remote peer IP address in it. So does the crypto map section.

It's that common element that associates it with a given IPsec site-site VPN.

View solution in original post

Marvin Rhoads · ‎06-09-2019

The tunnel-group definition has the remote peer IP address in it. So does the crypto map section.

It's that common element that associates it with a given IPsec site-site VPN.

CiscoBrownBelt · ‎06-10-2019

Great thanks!