05-24-2011 09:21 AM
Hi ,
We have a requirement where-in we need to configure 2 vpn tunnels to the same remote peer.
Also the remote end local ip address ranges are the same. Below is a quick explanation
Tunnel 1
MyPeerPublicIp = 1.1.1.1
RemotePeerPublicIp = 2.2.2.2
MylocalSubnets = 10.1.1.0/24
RemoteLocalSunbets = 10.2.1.0/24
Tunnel 2
MyPeerPublicIp = 1.1.1.1
RemotePeerPublicIp = 2.2.2.2
MylocalSubnets = 10.1.2.0/24
RemoteLocalSunbets = 10.2.1.0/24
The VPN devices at both ends are Cisco ASA. I am using version 8.0
My confusion is about the following questions
1. Is it possible to have 2 vpns to the same peer ip? (I think yes)
2. If yes, will it require me to configure 2 pre-shared keys?
3. It there any other important considerations I need to make/remember?
Any help on this issue will be much appreciated. Thank in advance.
Regards,
Nilesh
05-24-2011 10:52 AM
I am not sure why you would like to do this and what benefit you can achive by this way. Only thing which I could see is that you can use a different transform set.
You can configure it like the below, basically, you just use the different ACL to define the VPN traffic and use a different transform-set if you want.
crypto map test 10 match address 101
crypto map test 10 set peer 1.1.1.1
crypto map test 10 set transform-set MYSET1
crypto map test 20 match address 102
crypto map test 20 set peer 1.1.1.1
crypto map test 20 set transform-set MYSET2
You just need configure one preshared key for peer's IP
05-24-2011 08:30 PM
Hi,
I am finding it difficult to understand why do you want to do that. If the peer goes down then both the tunnels will go down.
Also you will be able to configure only one tunnel-group with a single peer.hence a single pre-shared key. so technically only one vpn tunnel will be present not two.
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
08-03-2011 03:00 AM
Hi Anisha and Yudong,
thank you for your reply.
Yudong - I managed to implement this with some lab testing(which i did not have access to before) but thank you again
Anisha - I am of the same view as you but this request came from the client and me trying to convince them did not do the trick.
Regards,
Nilesh
08-11-2011 11:43 AM
Can I ask how you got it working? I am having the same issue with my company wanting a direct VPN between 2 sites that both already come back to the main office here.
08-12-2011 08:48 AM
it was pretty easy
it is exactly like what yudong has posted.
basically you treat the two VPNs(even though they are between same IPs) as two different VPNs and (can)use different crypto-ACLs and Phase 2 negotiations.
Except that you do not need to type ina different pre-sharedkey. You can use the same pre-shared key.
Just be a bit careful if you are using vpn filters.
Regards,
Nilesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide