Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8846
Views
0
Helpful
2
Replies

ASA Tunnel Group Names ?!!

Go to solution
sherif_sec
Level 1
Level 1

‎06-06-2011 01:25 AM

2.4  ASA Tunnel Group Names
   • Change the ASA firewall L2L VPN configuration to match the hostname
     presented by R3.

please i can't understand that task , i hope that any one explain it

another question , what is the IKE ID ??

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mwinnett
Level 3
Level 3

‎06-09-2011 08:00 AM

It would useful to have the link. However, the tunnel-group name needs to match with either the hostname or IP address (depending on config, see below) as presented by the remote ipsec peer. I'm guessing that R3 refers to the name of the router that is the remote ipsec peer for a lan to lan tunnel.

The router would have something like

hostname router3                          <<<<

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 30.1.1.1

crypto isakmp identity hostname                 <<<<

crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac

In which case the ASA would have something like

access-list l2lvpn extended permit ip .......

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac

crypto map v468_map 1 match address l2lvpn

crypto map v468_map 1 set peer 40.1.1.1

crypto map v468_map 1 set transform-set ESP-3DES-SHA

crypto isakmp identity address

crypto isakmp enable vpn

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

!

tunnel-group router3 type ipsec-l2l       <<<<

tunnel-group router3 ipsec-attributes    <<<<

pre-shared-key *

I have identified the relevant lines with "<<<<"

Matthew

View solution in original post

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎06-09-2011 09:58 PM

Sherif,

When negotiating a L2L each peer sends its ISAKMP identity to the remote  peer. It sends either its IP address or host name dependent upon how  each has its ISAKMP identity set. By default, the ISAKMP identity of the ASA is set to the IP address. As per the RFC, when using pre-shared key authentication with Main Mode the key can     only be identified by the IP address of the peers since HASH_I must    be computed before the initiator has processed IDir. Aggressive Mode    allows for a wider range of identifiers of the pre-shared secret to    be used. In addition, Aggressive Mode allows two parties to maintain    multiple, different pre-shared keys and identify the correct one for    a particular exchange.

The ASA will do a tunnel-group lookup as follows:

- ike-id checked first and could be either hostname (fqdn) or IP address

- if ike-id lookup fails ASA tries Peer IP address

- DefaultRAGroup/DefaultL2LGroup is used as a last resort

I had a discussion earlier if you want to check it out:

https://supportforums.cisco.com/message/3313553#3313553

--Tavo

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mwinnett
Level 3
Level 3

‎06-09-2011 08:00 AM

It would useful to have the link. However, the tunnel-group name needs to match with either the hostname or IP address (depending on config, see below) as presented by the remote ipsec peer. I'm guessing that R3 refers to the name of the router that is the remote ipsec peer for a lan to lan tunnel.

The router would have something like

hostname router3                          <<<<

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 30.1.1.1

crypto isakmp identity hostname                 <<<<

crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac

In which case the ASA would have something like

access-list l2lvpn extended permit ip .......

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac

crypto map v468_map 1 match address l2lvpn

crypto map v468_map 1 set peer 40.1.1.1

crypto map v468_map 1 set transform-set ESP-3DES-SHA

crypto isakmp identity address

crypto isakmp enable vpn

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

!

tunnel-group router3 type ipsec-l2l       <<<<

tunnel-group router3 ipsec-attributes    <<<<

pre-shared-key *

I have identified the relevant lines with "<<<<"

Matthew

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎06-09-2011 09:58 PM

Sherif,

When negotiating a L2L each peer sends its ISAKMP identity to the remote  peer. It sends either its IP address or host name dependent upon how  each has its ISAKMP identity set. By default, the ISAKMP identity of the ASA is set to the IP address. As per the RFC, when using pre-shared key authentication with Main Mode the key can     only be identified by the IP address of the peers since HASH_I must    be computed before the initiator has processed IDir. Aggressive Mode    allows for a wider range of identifiers of the pre-shared secret to    be used. In addition, Aggressive Mode allows two parties to maintain    multiple, different pre-shared keys and identify the correct one for    a particular exchange.

The ASA will do a tunnel-group lookup as follows:

- ike-id checked first and could be either hostname (fqdn) or IP address

- if ike-id lookup fails ASA tries Peer IP address

- DefaultRAGroup/DefaultL2LGroup is used as a last resort

I had a discussion earlier if you want to check it out:

https://supportforums.cisco.com/message/3313553#3313553

--Tavo

0 Helpful
Customers Also Viewed These Support Documents