Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3020
Views
0
Helpful
3
Replies

Configuring redundant IPsec tunnels on ASA

Go to solution
Hawk
Level 1
Level 1

‎11-12-2018 12:56 PM - edited ‎02-21-2020 09:30 PM

A vpn peer has 2 peer addresses that I have set in the crypto map settings on my ASA.  Do I need to configure 2 tunnel groups also? One for each peer address?

 

e.g.  crypto map ikev2_outside_map 10 set peer 1.1.1.1 2.2.2.2

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mkazam001
Level 3
Level 3

‎11-12-2018 02:03 PM

please see below for correlation between tunnel-group & crypto map config:

the cryptomap that is enabled on the interface will have the same name

however, its the sequence numbers in the cryptomap that allow you to configure multiple tunnels

 

tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 2 match address VPN-ACL
crypto map CRYPTOMAP 2 set peer 100.1.1.2
crypto map CRYPTOMAP 2 set ikev1 transform-set AES192-SHA

 

tunnel-group 200.1.1.2 type ipsec-l2l
tunnel-group 200.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 3 match address VPN-ACL2
crypto map CRYPTOMAP 3 set peer 200.1.1.2
crypto map CRYPTOMAP 3 set ikev1 transform-set AES192-SHA

 

crypto map CRYPTOMAP interface outside

 

regards, mk

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎11-12-2018 01:02 PM

Hi,
Yes, you'll need separate tunnel-groups to peer specifc settings (e.g PSK) for each of the peer gateways.

HTH
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-12-2018 01:05 PM

yes you need 2 tunnel groups example :

 

 

tunnel-group 1.1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1  ipsec-attributes

ikev1 pre-shared-key cisco?123

 

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

ikev1 pre-shared-key cisco?123

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
mkazam001
Level 3
Level 3

‎11-12-2018 02:03 PM

please see below for correlation between tunnel-group & crypto map config:

the cryptomap that is enabled on the interface will have the same name

however, its the sequence numbers in the cryptomap that allow you to configure multiple tunnels

 

tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 2 match address VPN-ACL
crypto map CRYPTOMAP 2 set peer 100.1.1.2
crypto map CRYPTOMAP 2 set ikev1 transform-set AES192-SHA

 

tunnel-group 200.1.1.2 type ipsec-l2l
tunnel-group 200.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 3 match address VPN-ACL2
crypto map CRYPTOMAP 3 set peer 200.1.1.2
crypto map CRYPTOMAP 3 set ikev1 transform-set AES192-SHA

 

crypto map CRYPTOMAP interface outside

 

regards, mk

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents