I have to connect with VPN two sites with multiple subnets at one site.
Cisco ASA 5505 is connected to GB1000 which has multiple subnets.
Everything works fine when we access B from C. If we access A from C, GB1000 drops the tunnel C-B and establish a tunnel A-C. Looks like we can have only one active tunnel at a time. (Licensing is not an issue here)
I spoke to GB1000 guys and they say that GB1000 will create one IKE and one IPSec SA even when multiple subnets are involved. On the contrary Cisco ASA creates IPSec SA for every subnet at the remote end. I think this is the root cause of the issue.
We are thinking of aggregating of all remote subnets into one so we would have only one ACL entry on ASA but this would require to redesign company's subnetting.
Is it possible to make GB1000 act in a Cisco fashion i.e. to create separate SA per subnet? Or make the ASA to create just one IPSec SA for remote networks?
Any idea will be highly appreciated.