11-12-2018 12:56 PM - edited 02-21-2020 09:30 PM
A vpn peer has 2 peer addresses that I have set in the crypto map settings on my ASA. Do I need to configure 2 tunnel groups also? One for each peer address?
e.g. crypto map ikev2_outside_map 10 set peer 1.1.1.1 2.2.2.2
Solved! Go to Solution.
11-12-2018 02:03 PM
please see below for correlation between tunnel-group & crypto map config:
the cryptomap that is enabled on the interface will have the same name
however, its the sequence numbers in the cryptomap that allow you to configure multiple tunnels
tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 2 match address VPN-ACL
crypto map CRYPTOMAP 2 set peer 100.1.1.2
crypto map CRYPTOMAP 2 set ikev1 transform-set AES192-SHA
tunnel-group 200.1.1.2 type ipsec-l2l
tunnel-group 200.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 3 match address VPN-ACL2
crypto map CRYPTOMAP 3 set peer 200.1.1.2
crypto map CRYPTOMAP 3 set ikev1 transform-set AES192-SHA
crypto map CRYPTOMAP interface outside
regards, mk
11-12-2018 01:02 PM
11-12-2018 01:05 PM
yes you need 2 tunnel groups example :
tunnel-group 1.1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco?123
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key cisco?123
11-12-2018 02:03 PM
please see below for correlation between tunnel-group & crypto map config:
the cryptomap that is enabled on the interface will have the same name
however, its the sequence numbers in the cryptomap that allow you to configure multiple tunnels
tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 2 match address VPN-ACL
crypto map CRYPTOMAP 2 set peer 100.1.1.2
crypto map CRYPTOMAP 2 set ikev1 transform-set AES192-SHA
tunnel-group 200.1.1.2 type ipsec-l2l
tunnel-group 200.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto map CRYPTOMAP 3 match address VPN-ACL2
crypto map CRYPTOMAP 3 set peer 200.1.1.2
crypto map CRYPTOMAP 3 set ikev1 transform-set AES192-SHA
crypto map CRYPTOMAP interface outside
regards, mk
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: