Solved: multiple L2L ipsec VPN to the same destination (ip adress)

power.srvi · ‎01-24-2012

hi all,

im lookin to establish a a multiple L2L ips tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination.

should the cisco asa capable of this ?

how can i do it ?

regards

ajay chauhan · ‎01-24-2012

You can do it if you mean to say -

Lets say site A- has got 3 subnet and Site B has got one.

In this case what you need to do is to add ACL for crypto.

Thanks

Ajay

View solution in original post

Marvin Rhoads · ‎01-24-2012

Yes.

Note - it needs to be added at both the local and remote firewall. If not, they will not form a Phase 2 SA for that local/remote pair of networks.

View solution in original post

ajay chauhan · ‎01-24-2012

You can do it if you mean to say -

Lets say site A- has got 3 subnet and Site B has got one.

In this case what you need to do is to add ACL for crypto.

Thanks

Ajay

Marvin Rhoads · ‎01-24-2012

Adding to what Ajay said, your VPN is between your ASA and the distant end's firewall. Within that VPN there can be multiple IPSec Phase 2 security associations which are formed based on interesting traffic coming to the ASA and matching the cryptomap (access list for crypto).

You may want to have a look at the Wizard in ASDM if you are new to ASAs. (Wizards, VPN, Site-to-site VPN Wizard).

Once you have a working site-site IPSEC VPN, you can see the individual network pairs with the command:

show vpn-sessiondb detail l2l

Hope this helps.

power.srvi · ‎01-24-2012

so it mean that i have only to add the subnet within the acess list matched on the crypto map ?

Marvin Rhoads · ‎01-24-2012

Yes.

Note - it needs to be added at both the local and remote firewall. If not, they will not form a Phase 2 SA for that local/remote pair of networks.

power.srvi · ‎01-24-2012

note: the local firewall is not a cisco

so iv add it on my asa, i restart all the tunnels and i start continious ping from a machine on the added network

at the same time i set the : debug icmp trace ---> i see no packets from the local machine to the added network

i use show crypto ipsec sa details--> the tunnel is up but the network that i added on the is not showed, only the first network is present

power.srvi · ‎01-25-2012

hi all,

i would to thank Mr RHOADS and Mr ajay chauhan for their precious help.

it works, the problem was ont the rmote netgear vpn policy's order ( phase 2)

that's what i did

I desable the vpn on the remote box then i create a phase 2 including the new subnet

then i check my acess list on my asa and to bioth von that i want to transport on the vpn is present

finaly i enable again the vpn on the remote box ( netgear FVS318)

the tunnel is up again and when i make a show crypto ipsec sa detail: i can see 2 crypto map tag matched to the same sequence number and each one is matching to a declared trafic.

thx