Multiple IPSec VPN to one remote site

Unanswered Question
Dec 8th, 2008

As a Technology implementor in my organization, i have a necessity of implementing Multiple IPSec VPN Tunnels to a single Remote site, say between Point A and Point B i need to have more than one IPSec VPN tunnels. My criteria is i have only one interface facing internet at both my locations, which means only one Peer IP.

Is this possible with any of Cisco Devices like Cisco Routers, Cisco ASA or Cisco PIX?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 12/08/2008 - 09:15

If you could tell us why you need multiple tunnel we could help better, what is the ultimate goal for requering multiple L2L tunnels to same destination from same source point? is it to allow specific access to certain resources? per tunnel basis, if so you can accomplis this by simply implementing vpl filters in your single L2L connection between Point-A and Point-B using ASA500 applience or PIX with code 7.x above.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Rgds

Jorge

cannan.ilangova... Mon, 12/08/2008 - 11:11

Hi Jorge,

Thanks for the response. Our requirements is that we have two Point of Presence Locations, say Point A in US and Point B in India. We do not have any dedicated WAN connectivity between Point A and Point B. We only have Internet as common infra. to connect them. To keep different client's traffic separate according to our Standard Security Policies, we need to build multiple IPSec L2L Tunnels between Point A and Point B. Please let me know if this can be configured? if yes, how?

JORGE RODRIGUEZ Mon, 12/08/2008 - 11:50

Short answer yes, it is possible with ASA, you could accomplish this through vpn filters once you build the L2L tunnel between A and B.

Look at the link I privided in previous post and follow the process logic, after you create the Ipsec tunnel policy then create filters per client comming from site_B.

say you have in Site B a client called client_A, CLient_B , Client_C

From ASA site_A vpn filters could look something like this.

access-list ClientA_Site_B permit tcp host host eq 80

access-list ClientB_Site_B permit tcp host host eq ftp

access-list ClientC_Site_B permit tcp host host eq https

everything else is explicitly denied

tunnel-group general-attributes ( Tunnel between Site A and Site B )

default-group-policy filter

group-policy filter internal

group-policy filter attributes

vpn-filter value ClientA_Site_B

vpn-filter value ClientB_Site_B

vpn-filter value ClientC_Site_B

etc..

HTH

Jorge

Actions

This Discussion