{"id":78,"date":"2023-09-15T18:04:43","date_gmt":"2023-09-15T18:04:43","guid":{"rendered":"https:\/\/www.netasic.com\/?p=78"},"modified":"2026-05-18T15:16:10","modified_gmt":"2026-05-18T15:16:10","slug":"managing-multiple-ipsec-tunnels-on-cisco-ios","status":"publish","type":"post","link":"https:\/\/www.netasic.com\/index.php\/2023\/09\/15\/managing-multiple-ipsec-tunnels-on-cisco-ios\/","title":{"rendered":"Managing Multiple IPSec Tunnels on Cisco IOS"},"content":{"rendered":"

In an earlier post, I showed you how to configure IPSec based on a cryptomap between two routers (link here<\/a>). Now I am going to show you how to add a second IPSec tunnel on the same router. Remember the obligatory rule: one crypto map per interface.<\/p>\n

Let’s look again on topology:<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

The configuration of IPSec on router R5 is similar to that on router R2:<\/p>\n

R5#show running-config | section crypto<\/strong>\r\ncrypto isakmp policy 10\r\nencr aes\r\nhash sha256\r\nauthentication pre-share\r\ngroup 24\r\ncrypto isakmp key password address 100.0.0.2 \r\ncrypto ipsec transform-set TS01 esp-des esp-sha-hmac \r\nmode tunnel\r\ncrypto map crypto_map 10 ipsec-isakmp \r\nset peer 100.0.0.2\r\nset transform-set TS01 \r\nmatch address VPN01\r\ncrypto map crypto_map<\/span><\/pre>\n
 <\/p>\n
On router R1, I have configured a second IPsec tunnel. As a reminder, below is the configuration of the IPsec tunnel between R1 and R2.<\/p>\n
R1#show running-config | section crypto<\/strong>\r\ncrypto isakmp policy 10\r\nencr aes\r\nhash sha256\r\nauthentication pre-share\r\ngroup 24\r\ncrypto isakmp key p@ssw0rd address 200.0.0.2 \r\ncrypto ipsec transform-set ESP_SHA512 esp-aes esp-sha512-hmac \r\nmode tunnel\r\ncrypto map crypto_map 10 ipsec-isakmp \r\nset peer 200.0.0.2\r\nset transform-set ESP_SHA512 \r\nmatch address VPN<\/span><\/pre>\n
 <\/p>\n
What do we need to do in order to add a second IPsec tunnel on router R1:<\/h3>\n
    \n
  1. Configure the crypto isakmp policy.<\/strong><\/li>\n
  2. Set up a password for the new peer.<\/strong><\/li>\n
  3. Configure new algorithms for the second phase of IPsec.<\/strong><\/li>\n
  4. Create a new crypto map (+ ACL) and assign it to an interface on the router.<\/strong><\/li>\n<\/ol>\n
     <\/p>\n
    Crypto isakmp policy<\/h3>\n
    Now, I am going to configure a second connection with router R5. I have to add a few things to my config. We need to determine the algorithms to be used for Phase 1. In my case, I will use the same algorithms that I used to establish the connection for my first IPSec.<\/p>\n
    Let’s look below:<\/p>\n
    R1#show running-config | section crypto<\/strong><\/span>\r\ncrypto isakmp policy 10\r\nencr aes\r\nhash sha256\r\nauthentication pre-share\r\ngroup 24<\/span><\/pre>\n
    Everything will be fine because the second side (router R5) has the same Phase 1 IPSec configuration. If we want to set up a tunnel with a router that has different configured algorithms, we will need to add a new ‘crypto isakmp policy’ to our configuration with the new algorithms.<\/p>\n
    When establishing a connection, the router checks the ‘crypto isakmp policy’ from top to bottom and verifies the configured algorithms. If the router finds a policy with the proper algorithms, it can establish the Phase 1 IPSec connection.<\/p>\n
     <\/p>\n
    Password for peer<\/h3>\n
    crypto isakmp key password address 4.4.4.2<\/pre>\n
     <\/p>\n
    Algorithms for second phase of IPsec and mode (tunnel or transport)<\/h3>\n
    crypto ipsec transform-set TS01 esp-des esp-sha-hmac\r\n\r\nmode tunnel<\/pre>\n
    R1(cfg-crypto-trans)#mode ?<\/span><\/strong>\r\ntransport transport (payload encapsulation) mode<\/span>\r\ntunnel tunnel (datagram encapsulation) mode<\/span><\/pre>\n
     <\/p>\n
    Configuration of crypto map + ACL<\/h3>\n
    crypto map crypto_map 20 ipsec-isakmp set peer 4.4.4.2 set transform-set TS01 match address VPN01\r\n!\r\nip access-list extended VPN01 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255<\/span>\r\n<\/span><\/pre>\n
     <\/p>\n
    My crypto map “crypto_map” have been already assigned to interface:<\/p>\n
    R1#show running-config interface fastEthernet 0\/0<\/strong>\r\nBuilding configuration...\r\n\r\nCurrent configuration : 107 bytes\r\n!\r\ninterface FastEthernet0\/0\r\nip address 100.0.0.2 255.255.255.252\r\nduplex half\r\ncrypto map crypto_map\r\nend<\/span><\/pre>\n
     <\/p>\n
    and look like this:<\/p>\n
    !\r\ncrypto map crypto_map 10 ipsec-isakmp \r\nset peer 200.0.0.2\r\nset transform-set ESP_SHA512 \r\nmatch address VPN\r\ncrypto map crypto_map 20 ipsec-isakmp \r\nset peer 4.4.4.2\r\nset transform-set TS01 \r\nmatch address VPN01\r\n!\r\n<\/span><\/span><\/pre>\n
     <\/p>\n
    I can do little verification by typing “show crypto map”:<\/p>\n
    R1#show crypto map\u00a0<\/strong>\r\n\r\nCrypto Map IPv4 \"crypto_map\" 10 ipsec-isakmp\r\nPeer = 200.0.0.2\r\nExtended IP access list VPN\r\n\u00a0 \u00a0 access-list VPN permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255\r\nCurrent peer: 200.0.0.2\r\nSecurity association lifetime: 4608000 kilobytes\/3600 seconds\r\nResponder-Only (Y\/N): N\r\nPFS (Y\/N): N\r\nTransform sets={\u00a0\r\nESP_SHA512:\u00a0 { esp-aes esp-sha512-hmac\u00a0 } ,\u00a0\r\n}\r\nCrypto Map IPv4 \"crypto_map\" 20 ipsec-isakmp\r\nPeer = 4.4.4.2\r\nExtended IP access list VPN01\r\n\u00a0 \u00a0 access-list VPN01 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255\r\nCurrent peer: 4.4.4.2\r\nSecurity association lifetime: 4608000 kilobytes\/3600 seconds\r\nResponder-Only (Y\/N): N\r\nPFS (Y\/N): N\r\nTransform sets={\u00a0\r\nTS01:\u00a0 { esp-des esp-sha-hmac\u00a0 } ,\u00a0\r\n\r\n}\r\n\u00a0 \u00a0 \u00a0 \u00a0 Interfaces using crypto map crypto_map:\r\nFastEthernet0\/0\r\n\r\n<\/span><\/pre>\n
     <\/p>\n
    Let’s see again complete configuration of ipsec:<\/p>\n
    #show running-config | section crypto<\/strong>\r\ncrypto isakmp policy 10\r\nencr aes\r\nhash sha256\r\nauthentication pre-share\r\ngroup 24\r\ncrypto isakmp key p@ssw0rd address 200.0.0.2 \r\ncrypto isakmp key password address 4.4.4.2 \r\ncrypto ipsec transform-set ESP_SHA512 esp-aes esp-sha512-hmac \r\nmode tunnel\r\ncrypto ipsec transform-set TS01 esp-des esp-sha-hmac \r\nmode tunnel\r\ncrypto map crypto_map 10 ipsec-isakmp \r\nset peer 200.0.0.2\r\nset transform-set ESP_SHA512 \r\nmatch address VPN\r\ncrypto map crypto_map 20 ipsec-isakmp \r\nset peer 4.4.4.2\r\nset transform-set TS01 \r\nmatch address VPN01\r\ncrypto map crypto_map<\/span><\/pre>\n
    R1#show crypto isakmp sa<\/strong><\/span>\r\nIPv4 Crypto ISAKMP SA<\/span>\r\ndst src state conn-id status<\/span>\r\n4.4.4.2 100.0.0.2 QM_IDLE 1001 ACTIVE<\/span>\r\n200.0.0.2 100.0.0.2 QM_IDLE 1002 ACTIVE<\/span><\/pre>\n
     <\/p>\n","protected":false},"excerpt":{"rendered":"
    In an earlier post, I showed you how to configure IPSec based on a cryptomap between two routers (link here). Now I am going to show you how to add a second IPSec tunnel on the same router. Remember the … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-78","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/posts\/78","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/comments?post=78"}],"version-history":[{"count":48,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/posts\/78\/revisions"}],"predecessor-version":[{"id":339,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/posts\/78\/revisions\/339"}],"wp:attachment":[{"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/media?parent=78"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/categories?post=78"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/tags?post=78"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}