vpn tunnel

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

vpn tunnel

Post by Guest » Sun Jan 09, 2005 11:30 pm

This client needs to create a vpn ipsec tunnel using two asaa. I had a cisco documentation link being posted by one of the learned posters here.This link shows the configuration with a tunnel group. I came across another general site, which shows one without a tunnel group using asas. Please help which one is better and appreciate if i could understand why. Thank You.

Guest

Re:vpn tunnel

Post by Guest » Mon Jan 10, 2005 12:26 am

Hello, The tunnel-group is needed for at least some of the basic tunnel attributes. This document will explain the minimum tunnel-group settings needed for a site-to-site tunnel: http://www.cisco.com/en/US/docs/securit ... #wp1042423 Hope that helps. -Mike

Guest

Re:vpn tunnel

Post by Guest » Mon Jan 10, 2005 1:28 am

on asa you will need tunnel group to enter atleast the pre-shared key so if there is no tunnel group for a particular peer it falls on the default tunnel group

Guest

Re:vpn tunnel

Post by Guest » Mon Jan 10, 2005 2:29 am

to create a preshared key, would "crypto isakmp KEY test address X.X.X.X" be sufficient if i dont use the tunnel group.will this cause any issues by not using tunnel group. Thanks!

Guest

Re:vpn tunnel

Post by Guest » Mon Jan 10, 2005 3:52 am

thsts a deprecated commandhowever i tried it out in my lab just to see what would happen, it took the commadn but this is what it made by default ASA-1(config)# crypto isakmp key cisco address x.x.x.xASA-1(config)# sh run tunnASA-1(config)# sh run tunnel-grouptunnel-group 1.1.1.1 type ipsec-l2ltunnel-group 1.1.1.1 general-attributes no accounting-server-group default-group-policy DfltGrpPolicytunnel-group 1.1.1.1 ipsec-attributes no pre-shared-key peer-id-validate req no chain no trust-point isakmp keepalive threshold 10 retry 2 so you can clearly see it took the command but it did not like it while you try to put the command it does say that it is deprecated   So to summarize -----------------------  always use tunnel-group : )

Post Reply