cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
194
Views
0
Helpful
3
Replies
Highlighted
Beginner

How many IPSec tunnel i can apply on 1 interface Cisco ASA 5515-IPS site to site VPN config

Hi,

 

Is that possible to apply 2 IPSec tunnel on 1 interface(outisde)?

 

I'm working on to config a Cisco ASA 5515-IPS device to make site to site VPN setting.

There is 1 tunnel is already running on outside interface(internet), so i'm worrying if i add 1 more IPSec tunnel on same interface the tunnel(currently running) would be down?

 

Please give me some idea.

 

Thanks

3 REPLIES 3
Highlighted
VIP Mentor

Hi @khg762 

You can have a maximum of 250 IPSec peers on the 5515 hardware.

When defining the crypto map it's the sequence number that differentiates between the different VPN tunnels. E.g.

 

crypto map CM 10 match address BRANCH1_VPN
crypto map CM 10 set peer 1.1.1.1
crypto map CM 10 set ikev2 ipsec-proposal TSET
crypto map CM 20 match address BRANCH2_VPN
crypto map CM 20 set peer 2.2.2.1
crypto map CM 20 set ikev2 ipsec-proposal TSET

HTH

 

Highlighted
VIP Mentor

yes, you can multiple tunnels on the same interface : 

 

example from my notes :

 

Example:
crypto map outside_map 1 match address s2s-VPN-1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.2.3.4
crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey$

crypto map outside_map 2 match address s2s-VPN-2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 4.5.6.7
crypto map outside_map 2 set transform-set ESP-3DES-SHA

tunnel-group 4.5.6.7 type ipsec-l2l
tunnel-group 4.5.6.7 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey2$
BB
*** Rate All Helpful Responses ***
Highlighted
Rising star

When you add a new VPN tunnel on the ASA to the same crypto map, you don't really need to associate them to an interface. As long as you have the IKE used protocol enabled on the outside interface, and the crypto map is bound to the interface, which you have in your case, then you just need to add the new tunnels. That will not affect the existing one, assuming you are using different set of encryption domains for the new tunnels.