Wednesday, November 09th, 2005 | Author:

Here I go again with my constant Cisco rant or rather rating on my incompetence.. LOL…

I was configuring a Lan-to-Lan VPN between 2 Cisco ASA5510. After going through the wizard, I actually changed the Group Tunnel Name to a more meaningful name rather than just ip address. Didn’t realise the impact till I can’t get the stupid tunnel up.

I did a debug crypto isakmp 255 and it starts throws out every damn low level stuff at me after i entered “terminal monitor”…
After going through the debug logs, I realised that isakmp fails as the group name is invalid. On that actual debug statement, it stated the group name is the ip address of my vpn peer.

Now that’s weird. I remembered in PIX 6.0, the syntax for creating the tunnel is crypto map tunnel-name, where the name doesn’t *MATTERS*. So I checked the configuration guide for ASA 7.0.

“Tunnel group name: Both remote access and LAN-to-LAN clients select a tunnel group by its
name, as follows:
– For IPSec clients that use preshared keys to authenticate, the tunnel group name is the same as
the group name that the IPSec client passes to the security appliance.”

So I configured tunnel-group type ipsec-l2l.

Viola… a wasted morning.

Category: Firewall, Technical
You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.