Solved: Configuring redundant IPsec tunnels on ASA

Hawk · ‎11-12-2018

A vpn peer has 2 peer addresses that I have set in the crypto map settings on my ASA. Do I need to configure 2 tunnel groups also? One for each peer address?

e.g. crypto map ikev2_outside_map 10 set peer 1.1.1.1 2.2.2.2

mkazam001 · ‎11-12-2018

please see below for correlation between tunnel-group & crypto map config:

the cryptomap that is enabled on the interface will have the same name

however, its the sequence numbers in the cryptomap that allow you to configure multiple tunnels

tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 2 match address VPN-ACL
crypto map CRYPTOMAP 2 set peer 100.1.1.2
crypto map CRYPTOMAP 2 set ikev1 transform-set AES192-SHA

tunnel-group 200.1.1.2 type ipsec-l2l
tunnel-group 200.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 3 match address VPN-ACL2
crypto map CRYPTOMAP 3 set peer 200.1.1.2
crypto map CRYPTOMAP 3 set ikev1 transform-set AES192-SHA

crypto map CRYPTOMAP interface outside

regards, mk

View solution in original post

Rob Ingram · ‎11-12-2018

Hi,
Yes, you'll need separate tunnel-groups to peer specifc settings (e.g PSK) for each of the peer gateways.

HTH

balaji.bandi · ‎11-12-2018

yes you need 2 tunnel groups example :

tunnel-group 1.1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key cisco?123

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes