A tunnel group is a set of records that contain
tunnel connection policies. You configure a tunnel group to identify AAA
servers, specify connection parameters, and define a default group policy. The
ASA stores tunnel groups internally.
There are two default tunnel groups in the ASA:
DefaultRAGroup, which is the default IPsec remote-access tunnel group, and
DefaultL2Lgroup, which is the default IPsec LAN-to-LAN tunnel group. You can
modify them, but not delete them.
The main difference between IKE versions 1 and 2
lies in terms of the authentication method they allow. IKEv1 allows only one
type of authentication at both VPN ends (that is, either preshared key or
certificate). However, IKEv2 allows asymmetric authentication methods to be
configured (that is, preshared key authentication for the originator but
certificate authentication for the responder) using separate local and remote
authentication CLIs. Therefore, with IKEv2 you have asymmetric authentication,
in which one side authenticates with one credential and the other side uses
another credential (either a preshared key or certificate).
You can also create one or more new tunnel
groups to suit your environment. The ASA uses these groups to configure default
tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is
no specific tunnel group identified during tunnel negotiation.
To establish a basic LAN-to-LAN connection, you
must set two attributes for a tunnel group:
Set the connection type to IPsec LAN-to-LAN.
Configure an authentication method for the
IP address (that is, a preshared key for IKEv1 and IKEv2).