Showing results for 
Search instead for 
Did you mean: 

Multiple IPsec tunnel

Hi Everyone,


I have a question about using multiple IPsec tunnel.

Below is a simple diagram that I think to implement.


1. I have 2 sites connecting over internet. I want to connect them with IPsec tunnel. (not use GRE or VTI tunnel)

2. I peer them with 4 tunnels as shown.

3. I use BGP routing which is forming neighbor over IPsec tunnel and I control BGP metric to redundant the tunnels.

4. All the IPsec tunnel have the same acl configured the same interest traffic.


My question is it possible to do that?

I'm not sure how it is working behind multiple IPsec tunnel like this.




Rob Ingram
VIP Mentor


What hardware are you implementing this on? ASA, FTD or IOS-XE router?

If you wish to establish a BGP adjacency between peers you'd need to use a tunnel interface (route based VPN) not a crypto map (policy based VPN).

I use cisco WS-C3650-24TS for SW1 and SW2 and  SW3 and SW4 are switch in cloud.


The C3650 also has limitation configured tunnel interface because of I have only ipservice license. So that seems route-base vpn cannot be used.

Rob Ingram
VIP Mentor

IPSec is not supported on 3850


I suggest you purchase the right hardware for this scenario, either a firewall or a router.

Hi  Rob,


This is also  WS-C3650-24TS? I see the bug mensioned only 3850.

Rob Ingram
VIP Mentor

More than likely yes, I believe the 3850/3650 share the same code. Unfortunately the switches had the syntax to enter a lot of commands the hardware didn't actually support. I've never seen a document or guide from cisco on using a VPN on a switch, so use a router or a firewall.

Content for Community-Ad