Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
842
Views
0
Helpful
3
Replies

How many IPSec tunnel i can apply on 1 interface Cisco ASA 5515-IPS site to site VPN config

khg762
Level 1
Level 1

‎10-22-2020 10:53 PM

Hi,

 

Is that possible to apply 2 IPSec tunnel on 1 interface(outisde)?

 

I'm working on to config a Cisco ASA 5515-IPS device to make site to site VPN setting.

There is 1 tunnel is already running on outside interface(internet), so i'm worrying if i add 1 more IPSec tunnel on same interface the tunnel(currently running) would be down?

 

Please give me some idea.

 

Thanks

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎10-22-2020 11:53 PM

Hi @khg762 

You can have a maximum of 250 IPSec peers on the 5515 hardware.

When defining the crypto map it's the sequence number that differentiates between the different VPN tunnels. E.g.

 

crypto map CM 10 match address BRANCH1_VPN
crypto map CM 10 set peer 1.1.1.1
crypto map CM 10 set ikev2 ipsec-proposal TSET
crypto map CM 20 match address BRANCH2_VPN
crypto map CM 20 set peer 2.2.2.1
crypto map CM 20 set ikev2 ipsec-proposal TSET

HTH

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-22-2020 11:55 PM

yes, you can multiple tunnels on the same interface : 

 

example from my notes :

 

Example:
crypto map outside_map 1 match address s2s-VPN-1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.2.3.4
crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey$

crypto map outside_map 2 match address s2s-VPN-2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 4.5.6.7
crypto map outside_map 2 set transform-set ESP-3DES-SHA

tunnel-group 4.5.6.7 type ipsec-l2l
tunnel-group 4.5.6.7 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey2$

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-23-2020 02:16 AM - edited ‎10-23-2020 04:13 AM

When you add a new VPN tunnel on the ASA to the same crypto map, you don't really need to associate them to an interface. As long as you have the IKE used protocol enabled on the outside interface, and the crypto map is bound to the interface, which you have in your case, then you just need to add the new tunnels. That will not affect the existing one, assuming you are using different set of encryption domains for the new tunnels.

0 Helpful
Customers Also Viewed These Support Documents