Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

terminate multiple VPN tunnels at main site router

Unanswered Question
Dec 17th, 2006
User Badges:

I am trying to set a VPN router to be the hub for numerous remote site VPN tunnels.

At the moment, one peer is established and passing traffic with no problem.

I have tried to configure an additional tunnel at the main site and debugs on the peer tell me that the policy is not matched.

When I launch the "mirror config" from ASDM, it looks like my config is correct, but I am wondering if I have a fundamental misunderstanding how the hub is supposed to be set up.

When I look at the config of the hub router with ASDM, it shows only one VPN configured and will not allow another VPN to be added.

The transform set is different on the two tunnels and this is where I think my problem lies.

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600


crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxx 21.x.4.3 no-xauth

crypto isakmp key xxxxxxxx 6.x.1.2 no-xauth

crypto isakmp invalid-spi-recovery



crypto ipsec transform-set 1 esp-3des esp-sha-hmac

crypto ipsec transform-set 2 esp-3des esp-md5-hmac


crypto ipsec profile 1

set transform-set To_1


crypto ipsec profile 2

set transform-set To_2



crypto map To_2 ipsec-isakmp

set peer 6.x.x.2

set transform-set 2

match address 101



crypto map To_1 ipsec-isakmp

set peer

set transform-set 1

match address 100

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
spremkumar Sun, 12/17/2006 - 22:39
User Badges:
  • Red, 2250 points or more

Hi Richard

On seeing your config i am not sure whether you have the same crypto map with different sequence numbers to your remote peers with corresponding policies attached to it ..

I would suggest to create crypto maps with same name but with different sequence numbers with respective policies attached to it..

you can also refer the below link for framing the policies and map with different sequence numbers..



richmorrow624 Mon, 12/18/2006 - 04:33
User Badges:

Thanks for the reply.

Is this the only way to set this up?

There is no way to set up seperate tunnels?

attrgautam Mon, 12/18/2006 - 20:42
User Badges:
  • Silver, 250 points or more

Yes sadly that is the only way to do it as only one crypto map can be applied per interface. So for multiple peers you need to have the same crypto map with multiple sequence numbers. During the IPsec negotiation, all policies are checked sequentially based on the match of the transform set and access-list to setup the SA


This Discussion