Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
5
Helpful
3
Replies

Are Tunnel Groups per site-to-site VLAN connection?

Go to solution
Mark Mattix
Level 2
Level 2

‎11-22-2013 10:41 AM

On my ASA that's been in production for a few years, there are IPEC sit-to-site tunnels setup.

Every client's VPN interface IP is named, example:

name 192.168.1.1 My_Router

And there is an IPSEC transform set configured for the name.

What I'mn wondering is, there are also tunnel groups configured for every connection. The name of some of the tunnel-groups is the IP of the client VPN device. The name of the tunnel is simply a text value, correct? Is the IP that's being used for the name just a value and not being called upon anywhere else where the IP is configured? I need to change an IP address of one of these site-to-site VPNs and I'm concerned because I don't know what role the tunnel-groups play or what is actually looking at their configuration since it doesn't appear that anything else in the config uses the tunnel-group name.

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 ipsec-attributes

pre-shared-key xxxxxx

Thank you for any help in clearing this up for me!

-----------------

I did some further investigating, It seems that all of my tunnel-groups are linked to my DfltGrpPolicy (System default).

It seems like tunnel-groups aren't doing anything?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-22-2013 11:50 AM

In general, the name of the tunnel-group has to be the IP address of the remote peer if you use pre-shared-keys. When an IPSec connection comes in, the ASA uses the IP address to find the right PSK. So if the peer changes, you need to reconfigure the tunnel-group.

You don't need an own transform-set for each connection. I typically only have two or three of them named ESP-AES256-SHA, ESP-AES128-SHA and ESP-3DES-SHA. The names describe whats in the transform-set. These are then applied to all the connections.

The default group policy is fine if you don't have special needs per connections like different VPN-filter.


Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎11-22-2013 11:50 AM

In general, the name of the tunnel-group has to be the IP address of the remote peer if you use pre-shared-keys. When an IPSec connection comes in, the ASA uses the IP address to find the right PSK. So if the peer changes, you need to reconfigure the tunnel-group.

You don't need an own transform-set for each connection. I typically only have two or three of them named ESP-AES256-SHA, ESP-AES128-SHA and ESP-3DES-SHA. The names describe whats in the transform-set. These are then applied to all the connections.

The default group policy is fine if you don't have special needs per connections like different VPN-filter.


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Mark Mattix
Level 2
Level 2
In response to Karsten Iwen

‎11-22-2013 12:05 PM

Thank you for your response Karsten! I do use Pre-shared keys. Could you help me understand this:

ASA(config)# tunnel-group ?

configure mode commands/options:

  WORD < 65 char  Enter the name of the tunnel group

It seems to me that the name of the tunnel-group is only a text string and not an IP integer value. I was thinking that if it needed to match the tunnel-group to a specific ip it would say something like:

ASA(config)# tunnel-group ?

A.B.C.D     Peer IP address

Thanks for the help!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Mark Mattix

‎11-22-2013 12:46 PM

an IP address is also a name in this context. But for other VPN-types (remote-access or certificate-based for example) it could also be a real name. But for PSK, the name has to be the IP address of the peer.


Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents