Can I have both a IKEv1 and IKEv2 L2L to same ip peer?

Mohamed Hamid · ‎03-20-2014

Hi Guys

I am trying to configure a second site to site VPN to a Cisco ASA 5520..

The first L2L is a IKEv2 VPN and that works fine and have no issues

I am now trying to create a IKEv1 L2L to the same Cisco ASA, I initially got the warning message throug the ASDM that I had to use Digital certificate based auth or use Aggressive mode if I was givin the connection a name.

So I have ensured both peers are using IKEv1 and now i am noticing that the incoming ikev1 L2L connection is landing on the tunnel group that is configured for IKEv2 (my first connection)

Therefore I am getting the error 'No preshared key configured for group'

Is there a way to get around this?

Regards

Marvin Rhoads · ‎03-20-2014

You need to use one or the other L2L VPN type - not both.

Why would you want both anyway?

Mohamed Hamid · ‎03-20-2014

Hi Marvin

Thank you for your reply

I had an exisitng IKEv2 L2L to between two ASA

I needed to add another L2L as a different network subnet required access and for this I tried to setup a IKEv1 using aggressive mode. This is becuase my destination ASA was the same IP for my orginal IKEv2 L2l and my thinking was that if I use aggressive mode then it will differentiate between my two L2L's.

Clearly this is not the case... so I guess my best bethod is to use certificate based auth for my IKEv2 L2L?... does this mean that I will need to change my original IKEv2 L2L to cert based as well?

Kind Regards