cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
468
Views
0
Helpful
1
Replies

VPN to AWS -- Tunnel-group limitation Question

Justin Westover
Level 1
Level 1

I have a customer that has an existing VPN connection between their ASA and their corporate AWS account. As you may or may not know, AWS shares a set of public IPs for VPN peering across many many customers. AWS splits customer traffic out on the back end. Example... Customer A sets up a VPN with AWS using the remote public peer ip of 1.1.1.1. Customer B comes along and wants to setup a VPN tunnel to AWS, they also use 1.1.1.1 as their remote VPN peer IP, and so forth and so on. 

So this customer already has a VPN to AWS and now they need to connect to a different AWS account but guess what, the remote VPN peer IPs are the same as the ones they are currently using. So this presents a problem with the tunnel-group configuration on the ASA. They already have a tunnel-group that matches the remote AWS peer IP and that tunnel group already has a PSK configured on it. In a perfect world I would have two tunnel-groups with the same name (1.1.1.1 for example) but with different PSKs. I know this isn't possible so does anyone have any ideas here or is my customer just up a creek? 

Oh and both VPN tunnels require the isakmp identity to be the address. 

1 Reply 1

rvarelac
Level 7
Level 7

Hi Justin,

I think you can use certificate authentication instead PSK to bypass this limitation. Certificate authentication does not require a tunnel-group with the peer IP.

Hope it helps

-Randy-