VPNGlobal Config

tunnel-group [peer-ip] type ipsec-l2l

Creates or modifies a tunnel group for IPsec LAN-to-LAN VPN connections on Cisco ASA.

Overview

The 'tunnel-group [peer-ip] type ipsec-l2l' command is fundamental for establishing IPsec site-to-site VPN tunnels on Cisco ASA firewalls. A tunnel-group defines a set of parameters for a VPN connection to a specific peer. For LAN-to-LAN (L2L) tunnels, the tunnel-group name must be the IP address of the remote peer. This command creates the tunnel-group and enters its configuration mode, where you can set IPsec attributes like pre-shared keys, IKE versions, and transform sets. The concept behind tunnel-groups is to organize VPN connection profiles; each tunnel-group corresponds to one remote peer. When configuring a site-to-site VPN, you typically create a tunnel-group for each remote site. This command is used in conjunction with crypto maps and ISAKMP policies. On Cisco ASA, tunnel-groups are essential for both site-to-site and remote access VPNs, but the type must be specified correctly. For troubleshooting, verifying the tunnel-group configuration is a first step to ensure the peer IP and IPsec parameters match the remote device.

Syntax·Global Config
tunnel-group <peer-ip> type ipsec-l2l

When to Use This Command

  • Establishing a site-to-site VPN between a branch office and headquarters.
  • Configuring a VPN tunnel to a partner organization for secure data exchange.
  • Replacing an existing tunnel group configuration for a remote site.
  • Setting up multiple L2L tunnels to different remote peers.

Parameters

ParameterSyntaxDescription
peer-ipA.B.C.DThe IP address of the remote VPN peer. Must match the peer address in the crypto map.
typeipsec-l2lSpecifies the tunnel type as IPsec LAN-to-LAN. Other types include 'ipsec-ra' for remote access.

Command Examples

Create a tunnel group for a remote peer

tunnel-group 203.0.113.5 type ipsec-l2l

No output is displayed upon successful creation. The command enters tunnel-group configuration mode for the specified IP.

Verify tunnel group creation

show running-config tunnel-group 203.0.113.5
tunnel-group 203.0.113.5 type ipsec-l2l
tunnel-group 203.0.113.5 ipsec-attributes
 ikev1 pre-shared-key *****

Shows the tunnel-group configuration including type and IPsec attributes.

Understanding the Output

The command itself does not produce output; it enters tunnel-group configuration mode. To verify, use 'show running-config tunnel-group <peer-ip>' or 'show tunnel-group <peer-ip>'. The output from 'show running-config' displays the tunnel-group type and any configured attributes like pre-shared keys or IKE versions. A healthy configuration shows the correct type (ipsec-l2l) and matching IPsec attributes. Problems include missing type, incorrect peer IP, or mismatched pre-shared keys.

Configuration Scenarios

Basic Site-to-Site VPN Setup

Branch office (10.1.1.0/24) connecting to HQ (192.168.1.0/24) via ASA at each end.

Topology

Branch ASA (198.51.100.1) <--- Internet ---> HQ ASA (203.0.113.5)

Steps

  1. 1.Create tunnel-group for remote peer on HQ ASA: tunnel-group 198.51.100.1 type ipsec-l2l
  2. 2.Configure IPsec attributes: tunnel-group 198.51.100.1 ipsec-attributes; ikev1 pre-shared-key cisco123
  3. 3.Configure crypto map and apply to interface.
Configuration
! On HQ ASA
tunnel-group 198.51.100.1 type ipsec-l2l
tunnel-group 198.51.100.1 ipsec-attributes
 ikev1 pre-shared-key cisco123

Verify: show tunnel-group 198.51.100.1

Watch out: Ensure the pre-shared key matches on both ends.

Troubleshooting with This Command

When troubleshooting a site-to-site VPN, start by verifying the tunnel-group configuration with 'show running-config tunnel-group <peer-ip>'. Check that the type is 'ipsec-l2l' and that the pre-shared key is present. If the tunnel doesn't come up, use 'debug crypto ikev1' or 'debug crypto ipsec' to see negotiation errors. Common issues include mismatched pre-shared keys, incorrect peer IP, or missing crypto map entries. Also verify that the tunnel-group name exactly matches the peer IP in the crypto map. On ASA, the tunnel-group must exist before the crypto map can use it. If the tunnel-group is missing, the crypto map will fail to activate. Use 'show crypto isakmp sa' to check IKE phase 1 status and 'show crypto ipsec sa' for phase 2. If the tunnel-group is misconfigured, you may see 'no tunnel-group' errors in debugs.

CCNA Exam Tips

1.

Remember that 'ipsec-l2l' is used for site-to-site VPNs, while 'ipsec-ra' is for remote access.

2.

The tunnel-group name must match the peer IP address for L2L tunnels.

3.

After creating the tunnel-group, you must configure IPsec attributes under 'tunnel-group <ip> ipsec-attributes'.

Common Mistakes

Using 'ipsec-ra' instead of 'ipsec-l2l' for site-to-site tunnels, causing connection failure.

Forgetting to configure the pre-shared key under the tunnel-group ipsec-attributes.

Typing the peer IP incorrectly, leading to a mismatch with the crypto map.

Platform Notes

On Cisco ASA, tunnel-groups are a core concept for VPN configuration, unlike IOS where crypto maps directly reference peer IPs. The ASA requires a tunnel-group for each VPN connection. For site-to-site, the name must be the peer IP; for remote access, it can be a name or IP. The 'type ipsec-l2l' is specific to ASA; on IOS, you configure crypto maps directly. In ASA version 9.x and later, IKEv2 is also supported, and you can configure both IKEv1 and IKEv2 under the same tunnel-group. The command is similar on ASDM (GUI) where you create tunnel groups via the VPN wizard. For troubleshooting, ASA provides more detailed debugs compared to IOS. Equivalent commands on other platforms: on Palo Alto, you create IKE gateways and IPsec tunnels; on Juniper SRX, you configure IKE proposals and policies.

Related Commands

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions