Is that possible to apply 2 IPSec tunnel on 1 interface(outisde)?
I'm working on to config a Cisco ASA 5515-IPS device to make site to site VPN setting.
There is 1 tunnel is already running on outside interface(internet), so i'm worrying if i add 1 more IPSec tunnel on same interface the tunnel(currently running) would be down?
Please give me some idea.
You can have a maximum of 250 IPSec peers on the 5515 hardware.
When defining the crypto map it's the sequence number that differentiates between the different VPN tunnels. E.g.
crypto map CM 10 match address BRANCH1_VPN
crypto map CM 10 set peer 184.108.40.206
crypto map CM 10 set ikev2 ipsec-proposal TSET
crypto map CM 20 match address BRANCH2_VPN
crypto map CM 20 set peer 220.127.116.11
crypto map CM 20 set ikev2 ipsec-proposal TSET
yes, you can multiple tunnels on the same interface :
example from my notes :
Example: crypto map outside_map 1 match address s2s-VPN-1 crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 18.104.22.168 crypto map outside_map 1 set transform-set ESP-3DES-SHA tunnel-group 22.214.171.124 type ipsec-l2l tunnel-group 126.96.36.199 ipsec-attributes ikev1 pre-shared-key SomeSecureKey$ crypto map outside_map 2 match address s2s-VPN-2 crypto map outside_map 2 set pfs crypto map outside_map 2 set peer 188.8.131.52 crypto map outside_map 2 set transform-set ESP-3DES-SHA tunnel-group 184.108.40.206 type ipsec-l2l tunnel-group 220.127.116.11 ipsec-attributes ikev1 pre-shared-key SomeSecureKey2$
When you add a new VPN tunnel on the ASA to the same crypto map, you don't really need to associate them to an interface. As long as you have the IKE used protocol enabled on the outside interface, and the crypto map is bound to the interface, which you have in your case, then you just need to add the new tunnels. That will not affect the existing one, assuming you are using different set of encryption domains for the new tunnels.