Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
5
Replies

Cisco ASA crypto map pre-shared-key versus tunnel-group pre-shared-key

Go to solution
MarcusJ
Level 1
Level 1

‎01-05-2024 02:06 PM

I am troubleshooting a failed site-to-site IPsec tunnel between a Cisco ASA and a Cisco 8200L router. In comparing the IKEv2 properties I noticed that on the ASA it shows a pre-shared-key configured on the crypto map entry as well as on the tunnel-group.  If I use the GUI for the ASA I can see that the tunnel-group pre-shared-key matches the pre-shared-key configured under the IKEv2 profile on the router. My question is whether it is necessary for the same pre-shared-key to be configured on the crypto map entry attributes or if I should strip the pre-shared-key from that portion of the configuration? When I look at the debugs it is failing INIT.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-05-2024 02:15 PM

@MarcusJ you typically only configure the pre-shared key under the tunnel-group, so no you do not need to configure a pre-shared key under the crypto map.

Remove the pre-shared key under the crypto map, see if the tunnel comes up, if not provide the latest debugs for us to troubleshoot if it does not work.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎01-05-2024 02:15 PM

@MarcusJ you typically only configure the pre-shared key under the tunnel-group, so no you do not need to configure a pre-shared key under the crypto map.

Remove the pre-shared key under the crypto map, see if the tunnel comes up, if not provide the latest debugs for us to troubleshoot if it does not work.

0 Helpful

Go to solution
MarcusJ
Level 1
Level 1
In response to Rob Ingram

‎01-05-2024 02:55 PM

@Rob Ingram that did the trick. I rebuilt the tunnel completely on the router and removed the pre-shared-key from the crypto map which allowed the tunnel to come up. Thank you!

0 Helpful

Go to solution
bdragoiu@de.ibm.com
Level 1
Level 1
In response to Rob Ingram

‎04-30-2024 11:42 AM - edited ‎04-30-2024 11:43 AM

Hi Rob,

I was directed to this forum post from a TAC case. While I understand the 'typical' scenario, do you by chance know why there's this command redundancy?

I am asking because while migrating our old configs this command will still work if applied while running, but get discarded on the next reload.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to bdragoiu@de.ibm.com

‎04-30-2024 11:49 AM

Hi bdragoiu@de.ibm.com I've never configured the PSK under the crypto map level, as I would define the PSK under the tunnel-group.

The cisco documentation states

crypto map set ikev2 pre-shared-key

To specify a preshared key for remote access IKEv2 connections, the crypto map set ikev2 pre-shared-key command in global configuration mode. To return to the default setting, use the no form of this command.

crypto map map-name seq-num set ikev2 pre-shared-key key

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/crypto-is-cz-commands.html#wp3194764093

 

0 Helpful

Go to solution
bdragoiu@de.ibm.com
Level 1
Level 1
In response to Rob Ingram

‎04-30-2024 12:01 PM

Thanks for the reply Rob. I have in the past and at some point just started doing it as part of the setup and with some clients I even needed it, I just can't recall which. Maybe it's a thing only Cisco devices look for when connecting to eachother?

0 Helpful
Customers Also Viewed These Support Documents