Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

multiple L2L ipsec VPN to the same destination (ip adress)

hi all,

im lookin to establish a a multiple L2L ips  tunnels ( one tunnel for each subnet) from my cisco asa 5510 to the same destination.

should the cisco asa capable of this ?

how can i do it ?

regards

2 ACCEPTED SOLUTIONS

Accepted Solutions

multiple L2L ipsec VPN to the same destination (ip adress)

You can do it if you mean to say -

Lets say site A- has got 3 subnet and Site B has got one.

In this case what you need to do is to add ACL for crypto.

Thanks

Ajay

Hall of Fame Super Silver

multiple L2L ipsec VPN to the same destination (ip adress)

Yes.

Note - it needs to be added at both the local and remote firewall. If not, they will not form a Phase 2 SA for that local/remote pair of networks.

6 REPLIES

multiple L2L ipsec VPN to the same destination (ip adress)

You can do it if you mean to say -

Lets say site A- has got 3 subnet and Site B has got one.

In this case what you need to do is to add ACL for crypto.

Thanks

Ajay

Hall of Fame Super Silver

multiple L2L ipsec VPN to the same destination (ip adress)

Adding to what Ajay said, your VPN is between your ASA and the distant end's firewall. Within that VPN there can be multiple IPSec Phase 2 security associations which are formed based on interesting traffic coming to the ASA and matching the cryptomap (access list for crypto).

You may want to have a look at the Wizard in ASDM if you are new to ASAs. (Wizards, VPN, Site-to-site VPN Wizard).

Once you have a working site-site IPSEC VPN, you can see the individual network pairs with the command:

     show vpn-sessiondb detail l2l

Hope this helps.

New Member

multiple L2L ipsec VPN to the same destination (ip adress)

so it mean that i have only to add the subnet within  the acess list matched on the crypto map ?

Hall of Fame Super Silver

multiple L2L ipsec VPN to the same destination (ip adress)

Yes.

Note - it needs to be added at both the local and remote firewall. If not, they will not form a Phase 2 SA for that local/remote pair of networks.

New Member

multiple L2L ipsec VPN to the same destination (ip adress)

note: the local firewall is not a cisco

so iv add it on my asa, i restart all the tunnels and i start continious ping from a machine on the added network

at the same time i set the : debug icmp trace ---> i see no packets from the local machine to the added network

i use show crypto ipsec sa details--> the tunnel is up but the network that i added on the is not showed, only the first network is present

New Member

multiple L2L ipsec VPN to the same destination (ip adress)

hi all,

i would to thank Mr RHOADS and Mr ajay chauhan for their precious help.

it works, the problem was ont the rmote netgear vpn policy's order ( phase 2)

that's what i did

I desable the vpn on the remote box then i create a phase 2 including the new subnet

then i check my acess list on my asa  and to bioth von that i want to transport on the vpn is present

finaly i enable again the vpn on the remote box ( netgear FVS318)

the tunnel is up again and when i make a show crypto ipsec sa detail: i can see 2 crypto map tag matched to the same sequence number and each one is matching to a declared trafic.

thx

2095
Views
0
Helpful
6
Replies
CreatePlease to create content