Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

terminate multiple VPN tunnels at main site router

I am trying to set a VPN router to be the hub for numerous remote site VPN tunnels.

At the moment, one peer is established and passing traffic with no problem.

I have tried to configure an additional tunnel at the main site and debugs on the peer tell me that the policy is not matched.

When I launch the "mirror config" from ASDM, it looks like my config is correct, but I am wondering if I have a fundamental misunderstanding how the hub is supposed to be set up.

When I look at the config of the hub router with ASDM, it shows only one VPN configured and will not allow another VPN to be added.

The transform set is different on the two tunnels and this is where I think my problem lies.

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600


crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxx 21.x.4.3 no-xauth

crypto isakmp key xxxxxxxx 6.x.1.2 no-xauth

crypto isakmp invalid-spi-recovery



crypto ipsec transform-set 1 esp-3des esp-sha-hmac

crypto ipsec transform-set 2 esp-3des esp-md5-hmac


crypto ipsec profile 1

set transform-set To_1


crypto ipsec profile 2

set transform-set To_2



crypto map To_2 ipsec-isakmp

set peer 6.x.x.2

set transform-set 2

match address 101



crypto map To_1 ipsec-isakmp

set peer

set transform-set 1

match address 100


Re: terminate multiple VPN tunnels at main site router

Hi Richard

On seeing your config i am not sure whether you have the same crypto map with different sequence numbers to your remote peers with corresponding policies attached to it ..

I would suggest to create crypto maps with same name but with different sequence numbers with respective policies attached to it..

you can also refer the below link for framing the policies and map with different sequence numbers..


Community Member

Re: terminate multiple VPN tunnels at main site router

Thanks for the reply.

Is this the only way to set this up?

There is no way to set up seperate tunnels?


Re: terminate multiple VPN tunnels at main site router

Yes sadly that is the only way to do it as only one crypto map can be applied per interface. So for multiple peers you need to have the same crypto map with multiple sequence numbers. During the IPsec negotiation, all policies are checked sequentially based on the match of the transform set and access-list to setup the SA

CreatePlease to create content