multiple VPNs on the same CISCO-NETSCREEN nodes

Posted on 2010-09-14
Last Modified: 2012-05-10
Hi all,

I've a problem with the VPNs configured on one customer site. I'll try to explain it the best I can...

These are the equipments involved:
Customer site: CISCO 3620
Local site: Netscreen 208

Currently we have configured one IPsec VPN between both sites to communicate the customer network with our local network

The problem started when we wanted to include a new network in our site ( we started to talk time ago to deal with this matter but we don't find a common point of view, I have proposed to open our range to in the encriptin domain parameter, and then route the new network through the vpn... but they said that they can't do that because they have internal networks in conflict with that range... ok... we decided to use NAT... they gave us a range to configure our site (

The problem with the encription domain remains the same... I have to change the parameter to allow the phase II negotiations... I don't know the CISCO equipment and then I don't know why they can't configure this parameter with and then route only the networks affected (this is that we have done in our netscreen with other customers...).

Now, hundred mails later... we are trying to configure another IPSec VPN to separate the networks affected... (I think we should have another solution but I don't know how can I convice them because I don't know the CISCO world)... the problem is that they said that we have to use another ip public in our site to configure the new VPN ¿¿??... the say that the can't configure another VPN with the same parameters in the negotiatios (the only parameter that is differente is our local  network...).... please help me with this matter.

Thanks in advanced
Question by:ecemibm
  • 2
LVL 18

Accepted Solution

deimark earned 300 total points
ID: 33670720
Seems a bit mad of them to say that they cannot have 2 VPNs going to the same remote GW

As you say, the netscreen side is quite straightforward if you wanted to go down the route based VPN and set the encryption domain as  If we could set this to the same on the cisco side, then all will be well.

For the 2 VPN approach, teh netscreen again is quite easy, you create a new autokey ike using the same ike GW from the otehr VPN, just with a different proxy-id (encryption domain) set.

I am not a cisco expert but I would be very surprised if the cisco side DOES NOT cater for multiple VPNs to the same remote GW, just using different local and remote networks.

As for trying to configure the netscreen to have a 2nd VPN coming form a new external IP, I am fairly sure that this cannot be done

I would consider asking the cisco side to confirm the reasoning as to why they cannot have multiple VPNs to the same remote GW which will give us a bit more info to work on for a work around
LVL 69

Assisted Solution

Qlemo earned 200 total points
ID: 33671128
I agree to deimark. It should be possible to have two Phase 2 SAs (for networks, encryption domains, or however you want to call them) using the same Phase 1 SA (VPN gateway). That is one of the reasons why the Phase 1 and Phase 2 definitions are separated, and a major feature of IPSec VPNs.

Author Comment

ID: 33673259
Hi again...

The customer has answered my statements saying that the CISCO avoid to do that becouse it allows to include more that one encryption domain. Is it true?... I'm starting to think if the technicians in the customer site has real knowledge about he is talking about... the problem is that I don't know how the CISCO firewall works...

The questio now is... Do you know if I can find a configuration example for this deployment with CISCO equipments?... I'm sure this proof is that I need to convice the customer...
LVL 18

Expert Comment

ID: 33673724
I think that the cisco guy is not too clued up on his router and is only passing on the info he knows.

As I said before, I would be very surprised if cisco does not allow multiple VPN domains to be bound toa single GW< it seems to be the fundamental area that is covered by all other major (and most minor) players in the VPN market.

With regards to an example config, this does need to go to a cisco bod.  Perhaps an admin can put out a call for more cisco experts to comment.

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question