69-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter69 Configuring Remote Access IPsec VPNs
Configuring Remote Access IPsec VPNs
There are two default tunnel groups in the ASA system: DefaultRAGroup, which is the default
remote-access tunnel group, and DefaultL2Lgroup, which is the default LAN-to-LAN tunnel group. You
can change them but not delete them. The ASA uses these groups to configure default tunnel parameters
for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified
during tunnel negotiation.
Use the command syntax in the following examples as a guide.
Detailed Steps
Creating a Dynamic Crypto Map
This section describes how to configure dynamic crypto maps, which define a policy template where all
the parameters do not have to be configured. These dynamic crypto maps let the ASA receive
connections from peers that have unknown IP addresses. Remote access clients fall in this category.
Command Purpose
Step1 tunnel-group name type type
Example:
hostname(config)# tunnel-group testg roup
type ipsec-ra
hostname(config)#
Creates an IPsec remote access tunnel-group (also called
connection profile).
Step2 tunnel-group name general-attributes
Example:
hostname(config)# tunnel-group testgroup
general-attributes
hostname(config-tunnel-general)#
Enters tunnel group general attributes mode where you can enter
an authentication method.
Step3 address-pool [(interface name)]
address_pool1 [...address_pool6]
Example:
hostname(config-general)# address-pool
testpool
Specifies an address pool to use for the tunnel group.
Step4 tunnel-group name ipsec-attributes
Example:
hostname(config)# tunnel-group testgroup
ipsec-attributes
hostname(config-tunnel-ipsec)#
Enters tunnel group ipsec attributes mode where you can enter
IPsec-specific attributes for IKEv1 connections.
Step5 ikev1 pre-shared-key key
Example:
hostname(config-tunnel-ipsec)#
pre-shared-key 44kkaol59636jnfx
(Optional) Configures a pre-shared key (IKEv1 only). The key
can be an alphanumeric string from 1-128 characters.
The keys for the adaptive security appliance and the client must
be identical. If a Cisco VPN Client with a different preshared key
size tries to connect, the client logs an error message indicating it
failed to authenticate the peer.
Note Configure AAA authentication for IKEv2 using
certificates in the tunnel group webvpn-attributes.