×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Multiple IPSec VPN to one remote site

Unanswered Question
Dec 8th, 2008
User Badges:

As a Technology implementor in my organization, i have a necessity of implementing Multiple IPSec VPN Tunnels to a single Remote site, say between Point A and Point B i need to have more than one IPSec VPN tunnels. My criteria is i have only one interface facing internet at both my locations, which means only one Peer IP.


Is this possible with any of Cisco Devices like Cisco Routers, Cisco ASA or Cisco PIX?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 12/08/2008 - 09:15
User Badges:
  • Green, 3000 points or more

If you could tell us why you need multiple tunnel we could help better, what is the ultimate goal for requering multiple L2L tunnels to same destination from same source point? is it to allow specific access to certain resources? per tunnel basis, if so you can accomplis this by simply implementing vpl filters in your single L2L connection between Point-A and Point-B using ASA500 applience or PIX with code 7.x above.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml


Rgds

Jorge



cannan.ilangova... Mon, 12/08/2008 - 11:11
User Badges:

Hi Jorge,


Thanks for the response. Our requirements is that we have two Point of Presence Locations, say Point A in US and Point B in India. We do not have any dedicated WAN connectivity between Point A and Point B. We only have Internet as common infra. to connect them. To keep different client's traffic separate according to our Standard Security Policies, we need to build multiple IPSec L2L Tunnels between Point A and Point B. Please let me know if this can be configured? if yes, how?

JORGE RODRIGUEZ Mon, 12/08/2008 - 11:50
User Badges:
  • Green, 3000 points or more

Short answer yes, it is possible with ASA, you could accomplish this through vpn filters once you build the L2L tunnel between A and B.


Look at the link I privided in previous post and follow the process logic, after you create the Ipsec tunnel policy then create filters per client comming from site_B.


say you have in Site B a client called client_A, CLient_B , Client_C


From ASA site_A vpn filters could look something like this.


access-list ClientA_Site_B permit tcp host host eq 80


access-list ClientB_Site_B permit tcp host host eq ftp


access-list ClientC_Site_B permit tcp host host eq https


everything else is explicitly denied



tunnel-group general-attributes ( Tunnel between Site A and Site B )

default-group-policy filter



group-policy filter internal

group-policy filter attributes

vpn-filter value ClientA_Site_B

vpn-filter value ClientB_Site_B

vpn-filter value ClientC_Site_B


etc..


HTH

Jorge


Actions

This Discussion