Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
0
Helpful
2
Replies

ASA Dynamic Crypto map

Go to solution
xayavongp
Level 1
Level 1

‎10-24-2013 08:42 AM

I was looking at this example and did not get a clear explanation as to the use of the 

tunnel-group DefaultL2LGroup

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml

Why is the pre-shared-key * different from the spoke preshared key of cisco123 ? Is this a wild card to accept any

key pass from the spoke? Can this be define or is it set as it is? I don't see the advantage if it is "accept any".

Thanks,

Pete

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-24-2013 11:09 AM

Pete,

"*" is how ASA will display any key, it's obfuscated when you list running configuration. 

bsns-asa5505-19#  conf t
bsns-asa5505-19(config)# tunnel-group BERN ipsec-attributes
bsns-asa5505-19(config-tunnel-ipsec)# ikev1 pre-shared-key 1234556778
bsns-asa5505-19(config-tunnel-ipsec)# sh run tunnel-group BERN ipsec-attri
tunnel-group BERN type remote-access
tunnel-group BERN ipsec-attributes
 ikev1 pre-shared-key *****

There's no "accept any" in IKE since that key will be used to protect and decode IKE identities.

Also, have a look into tunnel-group mapping.

At a glance the Default tunnel groups are used as last ditch effort in matching. I.e. they will accomodate most peers with dynamic IPs (or unspecified).

M.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-24-2013 11:09 AM

Pete,

"*" is how ASA will display any key, it's obfuscated when you list running configuration. 

bsns-asa5505-19#  conf t
bsns-asa5505-19(config)# tunnel-group BERN ipsec-attributes
bsns-asa5505-19(config-tunnel-ipsec)# ikev1 pre-shared-key 1234556778
bsns-asa5505-19(config-tunnel-ipsec)# sh run tunnel-group BERN ipsec-attri
tunnel-group BERN type remote-access
tunnel-group BERN ipsec-attributes
 ikev1 pre-shared-key *****

There's no "accept any" in IKE since that key will be used to protect and decode IKE identities.

Also, have a look into tunnel-group mapping.

At a glance the Default tunnel groups are used as last ditch effort in matching. I.e. they will accomodate most peers with dynamic IPs (or unspecified).

M.

0 Helpful

Go to solution
xayavongp
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-24-2013 11:37 AM

LOL. That makes sense . I was use to seeing more "*" as you show it.

My peers will be dynamic so we are going this route.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents