Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Multiple IPSEC Tunnels from single IP

Is it possible to connect to a VPN 3000 concentrator with multiple clients from a single IP address?


Re: Multiple IPSEC Tunnels from single IP

OfCourse as long as the clients are distinct

New Member

Re: Multiple IPSEC Tunnels from single IP

Distinct? Please elaborate. If I have a DSL connection from an ISP with a dynamic IP address and an internal LAN with five PC's connected, is it possible for each of those PC's to establish an IPSEC tunnel to a VPN 3000 Concentrator concurrently? Don't the concentrator treat each peer IPSEC tunnel as unique connections?


Re: Multiple IPSEC Tunnels from single IP

Yes this is possible. The Hub concentrator should have a static IP address which will be configured as the peer in the spoke or the client. The Hub will need to have dynamic IPsec permitting connections from any peer using the correct pre-shred key/pki certificate and each peer will have a distinct SA created when they connect.

Cisco Employee

Re: Multiple IPSEC Tunnels from single IP


This is one of the reason NAT Traversal concept was invented.

In Nat Traversal the ipsec packets (ESP) is encapsulated in UDP/4500 (destination port, source port could be anything). If the FW/proxy is not configured to inspect what is inside that packet, it will treat the packet as normal UDP packet and will be able to create the translations, PAT in your case.

Turn on NAT-Traversal in the concentrator (I forgot underwhich option you will find this). In case your orgnization does not want to open another UDP port you can also use TCP.


CreatePlease to create content