06-06-2011 01:25 AM
2.4 ASA Tunnel Group Names
• Change the ASA firewall L2L VPN configuration to match the hostname
presented by R3.
please i can't understand that task , i hope that any one explain it
another question , what is the IKE ID ??
Solved! Go to Solution.
06-09-2011 08:00 AM
It would useful to have the link. However, the tunnel-group name needs to match with either the hostname or IP address (depending on config, see below) as presented by the remote ipsec peer. I'm guessing that R3 refers to the name of the router that is the remote ipsec peer for a lan to lan tunnel.
The router would have something like
hostname router3 <<<<
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 30.1.1.1
crypto isakmp identity hostname <<<<
crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac
In which case the ASA would have something like
access-list l2lvpn extended permit ip .......
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
crypto map v468_map 1 match address l2lvpn
crypto map v468_map 1 set peer 40.1.1.1
crypto map v468_map 1 set transform-set ESP-3DES-SHA
crypto isakmp identity address
crypto isakmp enable vpn
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
!
tunnel-group router3 type ipsec-l2l <<<<
tunnel-group router3 ipsec-attributes <<<<
pre-shared-key *
I have identified the relevant lines with "<<<<"
Matthew
06-09-2011 09:58 PM
Sherif,
When negotiating a L2L each peer sends its ISAKMP identity to the remote peer. It sends either its IP address or host name dependent upon how each has its ISAKMP identity set. By default, the ISAKMP identity of the ASA is set to the IP address. As per the RFC, when using pre-shared key authentication with Main Mode the key can only be identified by the IP address of the peers since HASH_I must be computed before the initiator has processed IDir. Aggressive Mode allows for a wider range of identifiers of the pre-shared secret to be used. In addition, Aggressive Mode allows two parties to maintain multiple, different pre-shared keys and identify the correct one for a particular exchange.
The ASA will do a tunnel-group lookup as follows:
- ike-id checked first and could be either hostname (fqdn) or IP address
- if ike-id lookup fails ASA tries Peer IP address
- DefaultRAGroup/DefaultL2LGroup is used as a last resort
I had a discussion earlier if you want to check it out:
https://supportforums.cisco.com/message/3313553#3313553
--Tavo
06-09-2011 08:00 AM
It would useful to have the link. However, the tunnel-group name needs to match with either the hostname or IP address (depending on config, see below) as presented by the remote ipsec peer. I'm guessing that R3 refers to the name of the router that is the remote ipsec peer for a lan to lan tunnel.
The router would have something like
hostname router3 <<<<
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 30.1.1.1
crypto isakmp identity hostname <<<<
crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac
In which case the ASA would have something like
access-list l2lvpn extended permit ip .......
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
crypto map v468_map 1 match address l2lvpn
crypto map v468_map 1 set peer 40.1.1.1
crypto map v468_map 1 set transform-set ESP-3DES-SHA
crypto isakmp identity address
crypto isakmp enable vpn
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
!
tunnel-group router3 type ipsec-l2l <<<<
tunnel-group router3 ipsec-attributes <<<<
pre-shared-key *
I have identified the relevant lines with "<<<<"
Matthew
06-09-2011 09:58 PM
Sherif,
When negotiating a L2L each peer sends its ISAKMP identity to the remote peer. It sends either its IP address or host name dependent upon how each has its ISAKMP identity set. By default, the ISAKMP identity of the ASA is set to the IP address. As per the RFC, when using pre-shared key authentication with Main Mode the key can only be identified by the IP address of the peers since HASH_I must be computed before the initiator has processed IDir. Aggressive Mode allows for a wider range of identifiers of the pre-shared secret to be used. In addition, Aggressive Mode allows two parties to maintain multiple, different pre-shared keys and identify the correct one for a particular exchange.
The ASA will do a tunnel-group lookup as follows:
- ike-id checked first and could be either hostname (fqdn) or IP address
- if ike-id lookup fails ASA tries Peer IP address
- DefaultRAGroup/DefaultL2LGroup is used as a last resort
I had a discussion earlier if you want to check it out:
https://supportforums.cisco.com/message/3313553#3313553
--Tavo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide