
It is possible to create multiple [IKE](/asa-ike-proposal-parameters) [VPN](/vpn) tunnels between two Cisco [ASA](/asa) devices.  Each tunnel would be represented by an individual [profile](/ipsec-profile-operation-with-more-than-one-crypto-isakmp-policy) and use a unique combination of encryption domain and optionally, different Phase 1 and Phase 2 parameters.

Establishing multiple VPN tunnels or "child SAs" between the same pair of peer addresses is often done to separate different types of traffic or to provide redundancy. Each distinct tunnel (child SA) is usually defined by a unique traffic selector or [access-list](/acl) entry in the Cisco ASA, more appropriately called, an encryption domain.

When you create multiple tunnels between the same endpoints, it's the encryption domain that helps the ASA determine which traffic goes over which tunnel. The IKEv2 parent SA (the initial negotiation between peers) remains singular, but multiple child SAs can be derived from that single parent SA for various traffic selectors.

Here are some general guidelines that may be helpful in achieving this:

1. **Define your ACLs (Traffic Selectors)**:
On ASA1:
```bash
access-list VPN1_ACL extended permit ip LOCAL_SUBNET1 MASK REMOTE_SUBNET1 MASK
access-list VPN2_ACL extended permit ip LOCAL_SUBNET2 MASK REMOTE_SUBNET2 MASK
```

On ASA2:
```bash
access-list VPN1_ACL extended permit ip REMOTE_SUBNET1 MASK LOCAL_SUBNET1 MASK
access-list VPN2_ACL extended permit ip REMOTE_SUBNET2 MASK LOCAL_SUBNET2 MASK
```

2. **Map the ACLs to separate crypto map entries**:
On ASA1 and ASA2:
```bash
crypto map mymap 10 match address VPN1_ACL
crypto map mymap 10 set peer ASA_PEER_IP
crypto map mymap 10 set ikev2 ipsec-proposal PROP1

crypto map mymap 20 match address VPN2_ACL
crypto map mymap 20 set peer ASA_PEER_IP
crypto map mymap 20 set ikev2 ipsec-proposal PROP2
```

Here `ASA_PEER_IP` would be the same peer IP address for both tunnels.

When traffic matches the `VPN1_ACL`, it will use the settings from the crypto map sequence number 10, and when traffic matches `VPN2_ACL`, it will use the settings from the sequence number 20. Both tunnels can be up concurrently, routing different traffic as defined by the ACLs.


Links:

https://forum.networklessons.com/t/cisco-asa-site-to-site-ikev2-ipsec-vpn/829/42?u=lagapides

https://networklessons.com/cisco/asa-firewall/cisco-asa-site-site-ikev2-ipsec-vpn/



ASA - multiple VPNs between the same endpoints

802.11 EAPOL-Key Frames

AAA - RADIUS vs TACACS+

AAA - accounting start-stop and start-only

AAA - configuring a fallback method

AAA start-stop and stop-only

ACI - Bridge Groups

ACL - IPv6 implicit statements

ACL - established keyword

ACL - operators

ACL - time-based access list on IOS-XR

ACL Logging

ACL editor

ACL log update threshold

ACL logging matched packets

ACL wildcard mask

ACLs Filtering Locally Generated Traffic

ARP - Message Header and Payload

ARP - determining the next hop MAC address

ARP - promiscuous mode

ARP - what is Proxy ARP

ARP table default timeout

ARP table

ASA - ASDM Cipher security levels

ASA - ASDM

ASA - AnyConnect Management VPN Tunnel

ASA - Clientless VPN

ASA - Crypto key size for Version 9.16

ASA - IKE proposal parameters

ASA - RADIUS common password

ASA - Using FQDN in an ACL for VPN split tunnelling

ASA - VTI VPN and MSS

ASA - crypto hardware processing

ASA - emulating an ASA device

ASA - multiple AnyConnect packages

ASA - number of crypto maps per interface

ASA - object group protocol vs service

ASA - split-tunnel-policy command

ASA - using FQDN in an ACL

ASA CTM ipsec poll ctl DU_IOCTL_RESUME_POLL ioctl failed error

ASA Contexts operate as separate virtual devices

ASA DDoS protection

ASA DMZ

ASA ECMP static routing

ASA Manual NAT and Auto NAT

ASA NAT control

ASA NAT port forwarding multiple ports to same IP

ASA NAT with DHCP assigned IP address on the  outside interface

ASA NAT with multiple inside subnets

ASA Site-to-Site IKEv1 IPSec VPN recv errors

ASA Static one to one NAT on a range of addresses

ASA Troubleshoot HTTP and ASDM access

ASA VPN with overlapping IP address spaces

ASA active-standby failover preemption

ASA and Firepower reimaging

ASA crypto map and tunnel group preshared keys

ASA group policies

ASA implicit rule

ASA limit CLI and ASDM access to specific users

ASA packet processing algorithm

ASA prerequisites for high availability

ASA redirect IP SLA messages to log buffer

ASA redundant interface

ASA security levels

ASA syslog logging in multiple context mode

ASA to Firepower migration

ASA troubleshooting IPSec

ASA tunnel-group

ASA understanding version numbers

ASA what triggers an active-standby failover

ASA won't respond to pings from different subnet

Anycast

Automation - Ansible connection plugins

BFD - intervals and timers

BFD - with multiple routing protocols

BFD echo mode and operation details

BFD how an administrative change differs from a failure

BFD one-arm echo

BGP - 4-byte ASN Backward Compatibility

BGP - AFI and SAFI

BGP - AS_Path filtering use cases

BGP - AS_SET and AS_CONFED_SET are deprecated

BGP - Accumulated IGP metric

BGP - Atomic Aggregate Attribute

BGP - Attributes and path selection

BGP - Autonomous System (AS)

BGP - Autonomous System Number

BGP - BGP Algorithm within confederations

BGP - Discontiguous Autonomous Systems

BGP - ECMP for specific prefixes

BGP - End-of-RIB marker

BGP - FSM - Active state

BGP - Finite State Machine (FSM)

BGP - Flowspec

BGP - Graceful Restart Mechanism

BGP - Handling Multiple Communities on a Single Route