topic When creating multiple VPN tunnels in Network Security

When creating multiple VPN tunnels

Jon Moots — Tue, 12 Mar 2019 05:39:57 GMT

I found something that was rather curious when creating a VPN tunnel between one ASA and 2 opposing location ASA's. What I am doing is creating 2 tunnels on a singe ASA for a three location loop.

Eg: ASA-a is linked via VPN Tunnel to ASA-b and ASA-c.

My question is this: When creating the isakmp policy, do you have to repeat the same steps over again if you already entered it in for the first tunnel?

Specifically this part: crypto isakmp policy 30 authentication pre-share
                                   crypto isakmp policy 30 encrypt 3des
                                   crypto isakmp policy 30 hash sha
                                   crypto isakmp policy 30 group 2
                                   crypto isakmp policy 30 lifetime 86400

My reason for asking is when I went to enter in this block of code for the second tunnel, I changed the ID number from 20 to 30 as shown above. When I saved the code to memory once I had it in, the error popped up that the isakmp policy was superseded by policy 20.

Everything looks to be in order and there when I do a show, just wondering if I am adding in keyboard work that does not need to be there.

-Jon

JonThat policy is not tied to

Jon Marshall — Thu, 19 Mar 2015 15:48:10 GMT

Jon

That policy is not tied to any tunnel unlike the phase 2 configuration.

So if you want to use the same settings you only need to enter it once.

The reason for the numbering is so you can have multiple policies and the firewall will run through them in order ie. you may have a peer using a different policy than other peers.

But for the same policy you only need to enter it once.

Jon

Thank you Jon. The tutorial

Jon Moots — Thu, 19 Mar 2015 16:44:40 GMT

Thank you Jon. The tutorial that I was reading for the VPN Tunnel did not distinguish this. I figured that to be the case but wanted to be sure.