Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

multiple site vpn question

Hi,

Given a hub and spoke asa configuration, what is the best way to setup a multiple site vpn connection from the ASA.  Say i have a hub asa X to connect to branch sites A, B, and C.

Do i have to configure multiple "isakmp key xxxx address zzzz" and multiple crypto map processes?(Given isa/ipsec attributes are all the same).

Thanks.

3 REPLIES

Re: multiple site vpn question

Hi,

If you have only three remote sites it's not much trouble to statically configure the three crypto map peers and keys.

IOS routers allow a configuration of DMVPN which allows simplified configuration of multiple VPN sites (but this is not an option on ASAs).

I would recommend just configuring the three sites statically as you would normally do.

Another option depending on what devices you have on the remote sites is to have an EzVPN scenario (the ASA is the EzVPN server and the remote sites are the EzVPN clients).

Federico.

Cisco Employee

Re: multiple site vpn question

Hi,

There are a couple of ways to approach this

1. If the spokes have Dynamic IP Addresses then you can configure a Dynamic Crypto  map i.e. There will only be one Crypto map sequence configured as below

crypto dynamic-map test 1 set ....

crypto map outside-map 65535 ipsec-isakmp dynamic test

Then continue with rest of the configuration including applying the crypto map to outside interface etc.

You can configure one pre-shared key for all the remote Spokes, however beware of the security risks associated with this. A better option would be to use Certificates.

2. If the spokes have static IP addresses, you can still use Option 1 however you will not be able to initiate the tunnel from the Hub end.

3. If you want the ability to initiate from both Hub and Spoke then Spokes need to have Static IP addresses but you can still use the same pre-shared key for all spokes.

Below is more information on configuring VPNs

'http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ike.html

New Member

Re: multiple site vpn question

Thank you all for the advice.

I believe i would look into the ezvpn option since this may be more scalable than setting up multiple crypto processes.

488
Views
0
Helpful
3
Replies
CreatePlease login to create content