cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10184
Views
0
Helpful
5
Replies

Multiple vpns to the same peer

rathinilesh
Level 1
Level 1

Hi ,

We have a requirement where-in we need to configure 2 vpn tunnels to the same remote peer.

Also the remote end local ip address ranges are the same. Below is a quick explanation

Tunnel 1

MyPeerPublicIp = 1.1.1.1

RemotePeerPublicIp = 2.2.2.2

MylocalSubnets = 10.1.1.0/24

RemoteLocalSunbets = 10.2.1.0/24

Tunnel 2

MyPeerPublicIp = 1.1.1.1

RemotePeerPublicIp = 2.2.2.2

MylocalSubnets = 10.1.2.0/24

RemoteLocalSunbets = 10.2.1.0/24

The VPN devices at both ends are Cisco ASA. I am using version 8.0

My confusion is about the following questions

1. Is it possible to have 2 vpns to the same peer ip?  (I think yes)

2. If yes, will it require me to configure 2 pre-shared keys?

3. It there any other important considerations I need to make/remember?

Any help on this issue will be much appreciated. Thank in advance.

Regards,

Nilesh

5 Replies 5

Yudong Wu
Level 7
Level 7

I am not sure why you would like to do this and what benefit you can achive by this way. Only thing which I could see is that you can use a different transform set.

You can configure it like the below, basically, you just use the different ACL to define the VPN traffic and use a different transform-set if you want.

crypto map test 10 match address 101
crypto map test 10 set peer 1.1.1.1
crypto map test 10 set transform-set MYSET1
crypto map test 20 match address 102
crypto map test 20 set peer 1.1.1.1
crypto map test 20 set transform-set MYSET2

You just need configure one preshared key for peer's IP

andamani
Cisco Employee
Cisco Employee

Hi,

I am finding it difficult to understand why do you want to do that. If the peer goes down then both the tunnels will go down.

Also you will be able to configure only one tunnel-group with a single peer.hence a single pre-shared key. so technically only one vpn tunnel will be present not two.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

Hi Anisha and Yudong,

thank you for your reply.

Yudong - I managed to implement this with some lab testing(which i did not have access to before) but thank you again

Anisha - I am of the same view as you but this request came from the client and me trying to convince them did not do the trick.

Regards,

Nilesh

Can I ask how you got it working? I am having the same issue with my company wanting a direct VPN between 2 sites that both already come back to the main office here.

it was pretty easy

it is exactly like what yudong has posted.

basically you treat the two VPNs(even though they are between same IPs) as two different VPNs and (can)use different crypto-ACLs and Phase 2 negotiations.

Except that you do not need to type ina different pre-sharedkey. You can use the same pre-shared key.

Just be a bit careful if you are using vpn filters.

Regards,

Nilesh