12-06-2017 01:50 AM - edited 03-12-2019 04:47 AM
Solved! Go to Solution.
12-07-2017 04:59 AM
Hello @dongnguyen248,
So your configuration should look like this:
crypto map mymap 1 match address ACL-1
crypto map mymap 1 set peer 10.10.10.1
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap 3 match address ACL-3
crypto map mymap 3 set peer 10.10.10.3
crypto map mymap 3 set ikev1 transform-set myset
crypto map mymap 4 match address ACL-4
crypto map mymap 4 set peer 10.10.10.4
crypto map mymap 4 set ikev1 transform-set myset
crypto map mymap 5 match address ACL-5
crypto map mymap 5 set peer 10.10.10.5
crypto map mymap 5 set ikev1 transform-set myset
crypto map mymap 6 match address ACL-6
crypto map mymap 6 set peer 10.10.10.6
crypto map mymap 6 set ikev1 transform-set myset
crypto map mymap 7 match address ACL-7
crypto map mymap 7 set peer 10.10.10.7
crypto map mymap 7 set ikev1 transform-set myset
crypto map mymap 8 match address ACL-8
crypto map mymap 8 set peer 10.10.10.8
crypto map mymap 8 set ikev1 transform-set myset
crypto map mymap 9 match address ACL-9
crypto map mymap 9 set peer 10.10.10.9
crypto map mymap 9 set ikev1 transform-set myset
crypto map mymap 11 match address ACL-11
crypto map mymap 11 set peer 10.10.10.11
crypto map mymap 11 set ikev1 transform-set myset
crypto map mymap 12 match address ACL-12
crypto map mymap 12 set peer 10.10.10.12
crypto map mymap 12 set ikev1 transform-set myset
crypto map mymap interface outside
These are called "entries" and they are defined by a sequence number so every VPN tunnel has the peer, ACL and transform-set. If you want to add more VPN tunnels you just adjust the sequence number, peer IP, ACL and tranform-set for that particular tunnel, for example:
crypto map mymap 13 match address ACL-13
crypto map mymap 13 set peer 10.10.10.13
crypto map mymap 13 set ikev1 transform-set myset
HTH
Gio
12-06-2017 03:20 AM
crypto map with multiple peers is used for redundancy, so I am not sure why you need so many peers connected.
I have never seen until now more then 3 or 4 peers configured.
I would imagine there is a limit to number of peers that can be configured, not sure what it is, but it could be very well be 10.
12-06-2017 05:44 PM - edited 12-06-2017 05:49 PM
HI Bogdan Nita
thanks for reply
we are connected SCADA by vpn site to site.
we need creat many vpn site to site between asa 5525 with each router on power station.
12-06-2017 05:18 AM
Hello @dongnguyen248,
Actually, you didn´t configure 10 VPN tunnels. You created 1 VPN tunnel with 9 backups so in your case only one of the 10 will be active and if this fails the other one will go up and so on.
The actual limit for that is 10 so you cannot add number 11 (Stranger Things, huh?) so in this case it will remain until 10. If you want 11 VPN tunnel you should have 11 entries on the crypto map configuration.
HTH
Gio
12-06-2017 05:28 PM - edited 12-06-2017 05:30 PM
Hi GioGonza thanks for reply
But on asa 5525 can creat 750 vpn site to site. when i peer vpn 11 it can't active.
on 1 interface we can only apply 1 crypto map.
12-06-2017 11:39 PM
The way to add more VPNs to your config is using the sequence number.
Configuration for a new VPN tunnel, based on the config you posted could look like this:
crypto map mymap 11 match address VPN-10.10.10.13
crypto map mymap 11 set peer 10.10.10.13
crypto map mymap 11 set ikev1 transform-set myset
You should check out this link, to better understand how crypto-maps work:
12-07-2017 04:59 AM
Hello @dongnguyen248,
So your configuration should look like this:
crypto map mymap 1 match address ACL-1
crypto map mymap 1 set peer 10.10.10.1
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap 3 match address ACL-3
crypto map mymap 3 set peer 10.10.10.3
crypto map mymap 3 set ikev1 transform-set myset
crypto map mymap 4 match address ACL-4
crypto map mymap 4 set peer 10.10.10.4
crypto map mymap 4 set ikev1 transform-set myset
crypto map mymap 5 match address ACL-5
crypto map mymap 5 set peer 10.10.10.5
crypto map mymap 5 set ikev1 transform-set myset
crypto map mymap 6 match address ACL-6
crypto map mymap 6 set peer 10.10.10.6
crypto map mymap 6 set ikev1 transform-set myset
crypto map mymap 7 match address ACL-7
crypto map mymap 7 set peer 10.10.10.7
crypto map mymap 7 set ikev1 transform-set myset
crypto map mymap 8 match address ACL-8
crypto map mymap 8 set peer 10.10.10.8
crypto map mymap 8 set ikev1 transform-set myset
crypto map mymap 9 match address ACL-9
crypto map mymap 9 set peer 10.10.10.9
crypto map mymap 9 set ikev1 transform-set myset
crypto map mymap 11 match address ACL-11
crypto map mymap 11 set peer 10.10.10.11
crypto map mymap 11 set ikev1 transform-set myset
crypto map mymap 12 match address ACL-12
crypto map mymap 12 set peer 10.10.10.12
crypto map mymap 12 set ikev1 transform-set myset
crypto map mymap interface outside
These are called "entries" and they are defined by a sequence number so every VPN tunnel has the peer, ACL and transform-set. If you want to add more VPN tunnels you just adjust the sequence number, peer IP, ACL and tranform-set for that particular tunnel, for example:
crypto map mymap 13 match address ACL-13
crypto map mymap 13 set peer 10.10.10.13
crypto map mymap 13 set ikev1 transform-set myset
HTH
Gio
12-07-2017 06:36 PM
Thanks GioGonza.
this is solution for me.
thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide