cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
667
Views
0
Helpful
3
Replies

multiple site vpn question

marcusbrutus
Level 1
Level 1

Hi,

Given a hub and spoke asa configuration, what is the best way to setup a multiple site vpn connection from the ASA.  Say i have a hub asa X to connect to branch sites A, B, and C.

Do i have to configure multiple "isakmp key xxxx address zzzz" and multiple crypto map processes?(Given isa/ipsec attributes are all the same).

Thanks.

3 Replies 3

Hi,

If you have only three remote sites it's not much trouble to statically configure the three crypto map peers and keys.

IOS routers allow a configuration of DMVPN which allows simplified configuration of multiple VPN sites (but this is not an option on ASAs).

I would recommend just configuring the three sites statically as you would normally do.

Another option depending on what devices you have on the remote sites is to have an EzVPN scenario (the ASA is the EzVPN server and the remote sites are the EzVPN clients).

Federico.

mulatif
Cisco Employee
Cisco Employee

Hi,

There are a couple of ways to approach this

1. If the spokes have Dynamic IP Addresses then you can configure a Dynamic Crypto  map i.e. There will only be one Crypto map sequence configured as below

crypto dynamic-map test 1 set ....

crypto map outside-map 65535 ipsec-isakmp dynamic test

Then continue with rest of the configuration including applying the crypto map to outside interface etc.

You can configure one pre-shared key for all the remote Spokes, however beware of the security risks associated with this. A better option would be to use Certificates.

2. If the spokes have static IP addresses, you can still use Option 1 however you will not be able to initiate the tunnel from the Hub end.

3. If you want the ability to initiate from both Hub and Spoke then Spokes need to have Static IP addresses but you can still use the same pre-shared key for all spokes.

Below is more information on configuring VPNs

'http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ike.html

marcusbrutus
Level 1
Level 1

Thank you all for the advice.

I believe i would look into the ezvpn option since this may be more scalable than setting up multiple crypto processes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: