Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dynamic Site to Site VPN


I will have almost more than 150 site to site tunnel to be configured on ASA 5540. is it possible to have a single tunnel group for all these site to site tunnel. like remote access vpn. peer ip address will be dynamic.


Re: Dynamic Site to Site VPN

Refer to Configuring IPSec Between Two PIXes With VPN Client 4.x Access in order to configure Site-to-Site VPN client connection on the same PIX.

On completion, the crypto-map configuration ideally looks like this example:

crypto map VpnTunnel 10 match address 100

crypto map VpnTunnel 10 set peer

!-- This is the LAN-to-LAN tunnel with Lower sequence number, high priority.

crypto map VpnTunnel 10 set transform-set lan2lan

crypto map VpnTunnel 20 ipsec-isakmp dynamic dyn1

!-- This is the dynamic map with higher sequence number, lower priority.

crypto map VpnTunnel interface OutSide

New Member

Re: Dynamic Site to Site VPN

To get this to work on the ASA you need to set the pre-shared key on the L2L base group which does not require a peer address. This behavior resembles what you would have had to do on a VPN concentrator.

To see the base group:

show run all