cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2112
Views
10
Helpful
6
Replies

Cisco ASA with multiple VPN tunnels

UZaman3
Level 1
Level 1

I am trying to set up our Cisco ASA to have multiple IPSec tunnels to different endpoints. I currently have had an IPSec tunnel up for a couple years to our datacenter and am now trying to have a second IPSec tunnel to a hybrid cloud environment. I added configurations for the tunnel but am not even seeing Phase 1 negotiations on debug on the ASA side. Attached configs for ASA here (changed IPs but should still make sense). I do not have access to the AWS side (3rd party vendor) but have seen it and its a pretty simple set up on their side. Any thoughts would be greatly appreciated.

6 Replies 6

@UZaman3 which VPN sequence is not working, 10 or 20? If 20 then you've no match statement to identify the interesting traffic, hence why the VPN would not establish.

Example in bold below

crypto map outside_map 10 match address VPN-Columbia-Culpepper
crypto map outside_map 10 set pfs group5
crypto map outside_map 10 set peer 30.30.30.1
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 10 set security-association lifetime seconds 7200
crypto map outside_map 20 match address <ACL to AWS>
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 100.100.100.1 200.200.200.1
crypto map outside_map 20 set ikev1 transform-set transform-amzn
crypto map outside_map 20 set security-association lifetime seconds 3600

It is crypto map 20 that isn't working and my apologies, deleted that command when i was editing the text file. the crypto map looks like this

 

access-list acl-amzn extended permit ip object ADQIC_AWS_VPC object ADQIC_CUL_AWS

crypto map outside_map 20 match address acl-amzn
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 100.100.100.1 200.200.200.1
crypto map outside_map 20 set ikev1 transform-set transform-amzn
crypto map outside_map 20 set security-association lifetime seconds 3600
crypto map outside_map interface outside

Hi, 
there are two cause of this issue 
first 
there are two peer, remove one peer and check if the tunnel is UP or not
second 
if above point not work then you need ISAKMP profile two make ASA know this IPSec Phase1 for this Tunnel or for other tunnel. 

You should be able to have multiple peers as the endpoint in a crypto map. that's why the syntax allows it, unless im implementing it incorrectly. I think this issue might have to do with overall design of the network. We have the aws side where one side of the tunnel terminates, and then we have, let's call it site a, where my side of the tunnel terminates. however we have another site, site b, which is where the interesting traffic sources from. site a and b can communicate to each other without issue over an existing tunnel, but i think because site b is not local to site 2 (different network altogether), even with proper routing in place between site a and site b, the site a asa is not seeing that as interesting traffic to send over the tunnel. i can include an overall diagram of the network including the ipsec tunnel i am trying to establish between site a and aws if that helps. As always, I appreciate the help this community gives!

Yes share topology

 

UZaman3
Level 1
Level 1

My apologies for not getting back sooner. So we were able to get the tunnel established. The issue actually ended up being 2 things. First, I needed to expand the object group for the tunnel ACL to encompass both our Site A and Site B and also have the AWS folks update it on their VPN endpoint as well. 2nd, the AWS folks had a routing loop on their end that was preventing return traffic. Once that was fixed the tunnel is up. I am now having another issue. Site A is able to connect to AWS and reach VMs in our VPC in AWS without any issues. Site B, however is not able to reach the VMs in the vpc. I have been able to confirm that traffic destined for our AWS vpc is getting from Site A to Site B over our existing site to site tunnel, but for whatever reason the ASA is not sending it to AWS. Please see below for attached topology. Let me know if I can provide any more information or insight. Thanks!