01-12-2016 06:44 AM
I need to enable the DefaultL2LGroup within Tunnel Groups in Site-to-Site VPN on our 5510.
Will this cause any issues, outages etc.
I am always cautious about enabling policies on the ASA
Solved! Go to Solution.
01-12-2016 08:25 AM
Hello
What are you trying to implement with this tunnel group? Is it a dynamic to static site to site tunnel?
You need to be careful using the default tunnel group and group policy because what you configure here could be inherit by the other tunnel-g and group-p in case they don't have an specific value for what you modified in the default t-g for example:
we have one tunnel group called test with the following setup:
tunnel-group test general-attributes
default-group-policy GroupPolicy1
tunnel-group test ipsec-attributes
ikev1 pre-shared-key *****
and in the DefaultL2LGroup you configure this:
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 15
In the "test" tunnel group there is no keepalive configuration so this configuration in the DefaultL2LGroup will be inherit by the test group.
In case that you have an specific entry for keepalives in the "test" tunnel-g that is the value that will be used by the test group even if the DefaultL2LGroup also has this setting
tunnel-group test ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 15
the value that will be used by the "test" tunnel-g is "isakmp keepalive threshold 10 retry 2"
I hope this helps. Please rate!
01-12-2016 08:25 AM
Hello
What are you trying to implement with this tunnel group? Is it a dynamic to static site to site tunnel?
You need to be careful using the default tunnel group and group policy because what you configure here could be inherit by the other tunnel-g and group-p in case they don't have an specific value for what you modified in the default t-g for example:
we have one tunnel group called test with the following setup:
tunnel-group test general-attributes
default-group-policy GroupPolicy1
tunnel-group test ipsec-attributes
ikev1 pre-shared-key *****
and in the DefaultL2LGroup you configure this:
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 15
In the "test" tunnel group there is no keepalive configuration so this configuration in the DefaultL2LGroup will be inherit by the test group.
In case that you have an specific entry for keepalives in the "test" tunnel-g that is the value that will be used by the test group even if the DefaultL2LGroup also has this setting
tunnel-group test ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 15
the value that will be used by the "test" tunnel-g is "isakmp keepalive threshold 10 retry 2"
I hope this helps. Please rate!
01-12-2016 09:00 AM
Hi
Yes its for dynamic to static site to site.
So its ok to enable, but I should be careful what settings I enable and modify. Ensuring any settings that need changed will be inherited by other policies that have default set in the same field
01-12-2016 09:12 AM
You got it, the relevant configuration you need for this dynamic to static site to site in the DefaultL2LGroup is the pre-share key "assuming you will use pre-share keys" make sure you just add that and this should not break the other static tunnels "in case you have" because they have their own pre-share keys.
You can follow this guide to configure a dynamic to static site to site tunnel:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html
Cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide