Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
4
Replies

Multiple L2L VPNs ?

dmorelan
Level 1
Level 1

‎04-24-2008 07:40 AM - edited ‎03-09-2019 08:35 PM

Is it possible to have multiple site-to-site VPNs between the same two sites ?

TIA,

dave m

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎04-24-2008 08:34 PM

Dave

You can have multiple L2L vpn tunnels within a single IPsec L2L capable device sort of a HUB and spoke. If you have a tunnel aleady stablished Between say Site-A and Site-B and you need to create another tunnel Say Site-A and Site-C yes you can. If you have a tunnel between Site-A and Site-B there is no need to add a second tunnel to the same destination since you already have one.

Jorge

Jorge Rodriguez
0 Helpful

dmorelan
Level 1
Level 1

‎04-25-2008 03:45 AM

Thanks for the reply.

What we have is an L2L tunnel between sites A and B of low bandwidth. We are upgrading the speed of the connection on new equipment and would like to run both L2L VPNs at the same time between sites A and B.

If we can't do that I need to know how to easily turn off the slower L2L VPN, test the new link and be able to go back to the existing slower link quickly if we have problems.

Thanks,

dave moreland

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to dmorelan

‎04-25-2008 07:49 AM

It should be fairly straight forward as long there are no changes in logical configurations, I did not ask where your tunnels are terminated firewalls outside interface ? ASAs PIXes Routers?

For testing purposes for example, you could prepare/pre-configure a connection to the switches for the new link and have the port in a shutdown state, same vlan as the slow link port, pre-configure the new device caring the NEW Link with the same logical configuration as the Slow link, here you do not have to make any chnages on the L2L vpn configurations on either end as long both side applies this test principle. When the time is ready to test you can shutdown the switch port of the Slow link and bring up the switch port connecting the new link , at this point your L2L tunnels will drop, however, you may bring up the tunnels by sending interesting traffic and proceed with IP connectivity test bewteen the two sites using new Link, if for any reason there are issues allocate a announced implementation test window of 1 hour for troubleshooting, in the event you need to fall back you can revert the switch ports shutdown and bring up you did at the begining and bring the connectivity back to the slow link.

Does this make sence ?

Jorge

Jorge Rodriguez
0 Helpful

dmorelan
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎04-28-2008 06:45 AM

It does make sense but let me add a little more detail...

What we have is site A with a slow link to site B. The equipment at site B (ASA 5510) is staying in place. We added a new ASA 5510 at site A and want to test a new, faster link to site B from that new device. The new ASA at site A is ready and have the second VPN config for site B ready.

What I need is a way to disable the current VPN tunnel at site B, turn on the new tunnel config at site B and test the connection to the new ASA at site A. The revert back to the slow link if I have problems.

Is this confusing or clarifying ?

dave moreland

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents