Showing results for 
Search instead for 
Did you mean: 
Justin Westover

VPN to AWS -- Tunnel-group limitation Question

I have a customer that has an existing VPN connection between their ASA and their corporate AWS account. As you may or may not know, AWS shares a set of public IPs for VPN peering across many many customers. AWS splits customer traffic out on the back end. Example... Customer A sets up a VPN with AWS using the remote public peer ip of Customer B comes along and wants to setup a VPN tunnel to AWS, they also use as their remote VPN peer IP, and so forth and so on. 

So this customer already has a VPN to AWS and now they need to connect to a different AWS account but guess what, the remote VPN peer IPs are the same as the ones they are currently using. So this presents a problem with the tunnel-group configuration on the ASA. They already have a tunnel-group that matches the remote AWS peer IP and that tunnel group already has a PSK configured on it. In a perfect world I would have two tunnel-groups with the same name ( for example) but with different PSKs. I know this isn't possible so does anyone have any ideas here or is my customer just up a creek? 

Oh and both VPN tunnels require the isakmp identity to be the address. 

Rising star

Hi Justin,

I think you can use certificate authentication instead PSK to bypass this limitation. Certificate authentication does not require a tunnel-group with the peer IP.

Hope it helps


Content for Community-Ad