01-16-2018 01:44 PM - edited 03-12-2019 04:55 AM
Hello everybody,
I would like to add another VPN tunnel to an existing configuration, and I am a little bit lost where to start.
In Crypto Map with IKEv2 you can add only one IP address, also I read that only one crypto map can be assigned to an interface.
If I will create another Crypto Map (different priority) with a different IP address and traffic selection but same IPSec settings will it allow me to simultaneously use both VPN tunnels.
The main device where this configuration has to be created in Cisco ASA-5512
Please help with any advice, let me know if you need additional info
Thank you in advance
Solved! Go to Solution.
01-16-2018 03:00 PM
Hello @phillip2711,
Yes sure, if the ACL is different and you sent traffic to the different subnets, both of them will be working at the same time without any issue.
As I said the only thing to keep in mind is the ACL since you can have the same IPSec policies for both of them.
HTH
Gio
01-16-2018 02:01 PM
Hello @phillip2711,
You can apply different connections with different priority number as you said but the only thing to keep in mind is the ACL since the ASA will try to create the VPN tunnel with the first one that matches, if you add a new one with the same information as the previous one, it will not work.
You can do VPN tunnel backup like this:
crypto map mymap 1 set peer 1.1.1.1 2.2.2.2
It will use the same configuration and the second peer will go up only if the primary fails.
HTH
Gio
01-16-2018 02:22 PM
Hello @GioGonza
Thank you very much. To clarify for example one will be with one IP peer address and one ACL(Branch Office A), another connection will be with different IP address and different ACL(Branch Office B). As far as settings: both those connections will be applied to the same outside interface and IPsec proposal will be the same.
So another question is, will those both VPN tunnels will be working simultaneous meaning if the person needs to access PC on branch office A and then in office B he will be able to do so?
I hope I explained it correctly, thanks
01-16-2018 03:00 PM
Hello @phillip2711,
Yes sure, if the ACL is different and you sent traffic to the different subnets, both of them will be working at the same time without any issue.
As I said the only thing to keep in mind is the ACL since you can have the same IPSec policies for both of them.
HTH
Gio
01-17-2018 05:52 AM
Thank you @GioGonza for a quick reply
01-17-2018 05:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide