Mutiple Ipsec Tunnels from Main site


I have setup mutiple Site-to-Site Ipsec tunnels from our main site to our smaller sites.

The wierd thing happening is that whenever i enter the “match address” for that specifi site the vpn stops the VPN traffic even if the tunnel is up.

This is the base of it:

crypto map dyn-map 11 match address VPN-ACL1
crypto map dyn-map 11 set peer XXX.XXX.XXX.XX1
crypto map dyn-map 11 set ikev2 ipsec-proposal Ikev2-AES256-SHA256
crypto map dyn-map 12 set peer XXX.XXX.XXX.XX2
crypto map dyn-map 12 set ikev1 transform-set THN_VPN2
crypto map dyn-map 13 set peer XXX.XXX.XXX.XX3
crypto map dyn-map 13 set ikev1 transform-set THN_VPN3
crypto map dyn-map 14 set peer XXX.XXX.XXX.XX4
crypto map dyn-map 14 set ikev1 transform-set THN_VPN4
crypto map dyn-map interface outside

The tunnels like this works, (the smaller sites have “match address”)

As you can see i only have one working Match address from this configuration.
Should they all be in the same ACL?

Any ideas why this might be happening?

Hello Ali

So from what I understand, your match address command for map 11 using VPN-ACL1 is working correctly, right? But when you add the match address for the other sites (12, 13 etc) those don’t seem to work. Traffic stops functioning on them, right?

The ACLs are used to match interesting traffic, that is, traffic that should be tunneled and encrypted. Without those ACLs indicating what is interesting traffic, the config is incomplete. So you should have a separate ACL that indicates the interesting traffic for each of your tunnels. Can you give us a little more information about the behavior you are experiencing so that we can help you further?

I hope this has been helpful!