Solved: You got it, the relevant

sprocket10 · ‎01-12-2016

I need to enable the DefaultL2LGroup within Tunnel Groups in Site-to-Site VPN on our 5510.

Will this cause any issues, outages etc.

I am always cautious about enabling policies on the ASA

Diego Lopez · ‎01-12-2016

Hello

What are you trying to implement with this tunnel group? Is it a dynamic to static site to site tunnel?

You need to be careful using the default tunnel group and group policy because what you configure here could be inherit by the other tunnel-g and group-p in case they don't have an specific value for what you modified in the default t-g for example:

we have one tunnel group called test with the following setup:

tunnel-group test general-attributes

default-group-policy GroupPolicy1

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****

and in the DefaultL2LGroup you configure this:

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 30 retry 15

In the "test" tunnel group there is no keepalive configuration so this configuration in the DefaultL2LGroup will be inherit by the test group.

In case that you have an specific entry for keepalives in the "test" tunnel-g that is the value that will be used by the test group even if the DefaultL2LGroup also has this setting

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 10 retry 2

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 30 retry 15

the value that will be used by the "test" tunnel-g is "isakmp keepalive threshold 10 retry 2"

I hope this helps. Please rate!

View solution in original post

Diego Lopez · ‎01-12-2016

Hello

What are you trying to implement with this tunnel group? Is it a dynamic to static site to site tunnel?

You need to be careful using the default tunnel group and group policy because what you configure here could be inherit by the other tunnel-g and group-p in case they don't have an specific value for what you modified in the default t-g for example:

we have one tunnel group called test with the following setup:

tunnel-group test general-attributes

default-group-policy GroupPolicy1

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****

and in the DefaultL2LGroup you configure this:

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 30 retry 15

In the "test" tunnel group there is no keepalive configuration so this configuration in the DefaultL2LGroup will be inherit by the test group.

In case that you have an specific entry for keepalives in the "test" tunnel-g that is the value that will be used by the test group even if the DefaultL2LGroup also has this setting

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 10 retry 2

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 30 retry 15

the value that will be used by the "test" tunnel-g is "isakmp keepalive threshold 10 retry 2"

I hope this helps. Please rate!

sprocket10 · ‎01-12-2016

Hi

Yes its for dynamic to static site to site.

So its ok to enable, but I should be careful what settings I enable and modify. Ensuring any settings that need changed will be inherited by other policies that have default set in the same field

Diego Lopez · ‎01-12-2016

You got it, the relevant configuration you need for this dynamic to static site to site in the DefaultL2LGroup is the pre-share key "assuming you will use pre-share keys" make sure you just add that and this should not break the other static tunnels "in case you have" because they have their own pre-share keys.

You can follow this guide to configure a dynamic to static site to site tunnel:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

Cheers.

DefaultL2LGroup 5510