ASA tunnel-group


When configuring a Cisco [ASA](/asa) Site-to-Site IKEv2 [IPsec](/ipsec) [VPN](/vpn), pre-shared keys can optionally be configured for the crypto map as well as for the tunnel group.  For the crypto map, this can be done like so:

```
ASA1(config)# crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.2   
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 pre-shared-key Cisco123
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE
```

The second to last command above sets a pre-shared key of `Cisco123` which must be applied on the other end as well.

Similarly, in the tunnel group, a pre-shared key can be applied as well.  This can be done like so:

```
ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key CISCO123 
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key CISCO456
```

In this particular case, this is an asymmetric pre-shared key arrangement, where each end of the tunnel uses a different pre-shared key. The local-authentication pre-shared key must match the remote-authentication pre-shared key of the device on the other end of the tunnel, and visa versa.

## Links

https://networklessons.com/cisco/asa-firewall/cisco-asa-site-site-ikev2-ipsec-vpn/

https://forum.networklessons.com/t/cisco-asa-site-to-site-ikev2-ipsec-vpn/829/61?u=lagapides

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/crypto-is-cz-commands.html#wp3194764093

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ia-inr-commands.html#wp4795621970

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ia-inr-commands.html#wp1351684539

ASA crypto map and tunnel group preshared keys

ACL Editor on Cisco IOS

ACL IPv6 implicit statements

ACL Logging

ACL log update threshold on Cisco IOS

ACL logging matched packets

ACL resequence command on Cisco NX-OS

ACL wildcard mask

ACLs Filtering Locally Generated Traffic

ARP Message Header and Payload

ARP table default timeout

ARP table

ARP to Determine Next Hop IP Address

ASA - ASDM Cipher security levels

ASA - ASDM

ASA - AnyConnect Management VPN Tunnel

ASA - Clientless VPN

ASA - Crypto key size for Version 9.16

ASA - IKE proposal parameters

ASA - Optimizing High Availability

ASA - Understanding NAT behavior with DMZ Subnet

ASA - Using FQDN in an ACL for VPN split tunnelling

ASA - VTI VPN and MSS

ASA - crypto hardware processing

ASA - emulating an ASA device

ASA - multiple AnyConnect packages

ASA - multiple VPNs between the same endpoints

ASA - number of crypto maps per interface

ASA - object group protocol vs service

ASA - same-security-traffic command

ASA - split-tunnel-policy command

ASA - using FQDN in an ACL

ASA CTM ipsec poll ctl DU_IOCTL_RESUME_POLL ioctl failed error

ASA Contexts operate as separate virtual devices

ASA DDoS protection

ASA DMZ

ASA ECMP static routing

ASA Manual NAT and Auto NAT

ASA NAT control

ASA NAT port forwarding multiple ports to same IP

ASA NAT translate_hits and untranslate_hits counters

ASA NAT with DHCP assigned IP address on outside interface

ASA NAT with multiple inside subnets

ASA Site-to-Site IKEv1 IPSec VPN recv errors

ASA Static one to one NAT on a range of addresses

ASA Troubleshoot HTTP and ASDM access

ASA VPN with overlapping IP address spaces

ASA active-standby failover preemption

ASA and Firepower reimaging

ASA group policies

ASA implicit rule

ASA limit CLI and ASDM access to specific users

ASA packet processing algorithm

ASA prerequisites for high availability

ASA redirect IP SLA messages to log buffer

ASA redundant interface

ASA security levels

ASA syslog logging in multiple context mode

ASA to Firepower migration

ASA troubleshooting IPSec

ASA understanding version numbers

ASA what triggers an active-standby failover

ASA won't respond to pings from different subnet

Access-List (ACL) Operators

Access-List (ACL)

Anycast Host Addressing

Anycast

Audio and Video over IP Networks

Automation - Ansible connection plugins

BFD - Control Plane Independent (CPI) bit

BFD - intervals and timers

BFD - slow-timers

BFD - with multiple routing protocols

BFD echo mode and operation details

BFD how an administrative change differs from a failure

BFD one-arm echo

BGP - AFI and SAFI

BGP - AS_Path filtering use cases

BGP - Accumulated IGP metric

BGP - Atomic Aggregate Attribute

BGP - Autonomous System (AS)

BGP - Autonomous System Number

BGP - BGP Algorithm within confederations

BGP - Discontiguous Autonomous Systems

BGP - ECMP for specific prefixes

BGP - End-of-RIB marker

BGP - Equal Cost Multipath AS_Path Attribute

BGP - FSM - Active state

BGP - FSM - Connect State

BGP - Finite State Machine (FSM)

BGP - Flowspec

BGP - Graceful Restart Mechanism

BGP - Handling Multiple Communities on a Single Route

BGP - IGP-BGP redistribution best practices

BGP - Labeled Unicast

BGP - Large BGP communities

BGP - Leaking more specific routes

ASA crypto map and tunnel group preshared keys

Links

Links to this page: