ASA - multiple VPNs between the same endpoints

It is possible to create multiple IKE VPN tunnels between two Cisco ASA devices. Each tunnel would be represented by an individual profile and use a unique combination of encryption domain and optionally, different Phase 1 and Phase 2 parameters.

Establishing multiple VPN tunnels or "child SAs" between the same pair of peer addresses is often done to separate different types of traffic or to provide redundancy. Each distinct tunnel (child SA) is usually defined by a unique traffic selector or access-list entry in the Cisco ASA, more appropriately called, an encryption domain.

When you create multiple tunnels between the same endpoints, it's the encryption domain that helps the ASA determine which traffic goes over which tunnel. The IKEv2 parent SA (the initial negotiation between peers) remains singular, but multiple child SAs can be derived from that single parent SA for various traffic selectors.

Here are some general guidelines that may be helpful in achieving this:

  1. Define your ACLs (Traffic Selectors): On ASA1:
access-list VPN1_ACL extended permit

On ASA2:

access-list VPN1_ACL extended permit
  1. Map the ACLs to separate crypto map entries: On ASA1 and ASA2:
crypto map mymap

Here ASA_PEER_IP would be the same peer IP address for both tunnels.

When traffic matches the VPN1_ACL, it will use the settings from the crypto map sequence number 10, and when traffic matches VPN2_ACL, it will use the settings from the sequence number 20. Both tunnels can be up concurrently, routing different traffic as defined by the ACLs.