Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


multiple VPNs on the same CISCO-NETSCREEN nodes

Posted on 2010-09-14
Medium Priority
Last Modified: 2012-05-10
Hi all,

I've a problem with the VPNs configured on one customer site. I'll try to explain it the best I can...

These are the equipments involved:
Customer site: CISCO 3620
Local site: Netscreen 208

Currently we have configured one IPsec VPN between both sites to communicate the customer network with our local network

The problem started when we wanted to include a new network in our site ( we started to talk time ago to deal with this matter but we don't find a common point of view, I have proposed to open our range to in the encriptin domain parameter, and then route the new network through the vpn... but they said that they can't do that because they have internal networks in conflict with that range... ok... we decided to use NAT... they gave us a range to configure our site (

The problem with the encription domain remains the same... I have to change the parameter to allow the phase II negotiations... I don't know the CISCO equipment and then I don't know why they can't configure this parameter with and then route only the networks affected (this is that we have done in our netscreen with other customers...).

Now, hundred mails later... we are trying to configure another IPSec VPN to separate the networks affected... (I think we should have another solution but I don't know how can I convice them because I don't know the CISCO world)... the problem is that they said that we have to use another ip public in our site to configure the new VPN ¿¿??... the say that the can't configure another VPN with the same parameters in the negotiatios (the only parameter that is differente is our local  network...).... please help me with this matter.

Thanks in advanced
Question by:ecemibm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 18

Accepted Solution

deimark earned 1200 total points
ID: 33670720
Seems a bit mad of them to say that they cannot have 2 VPNs going to the same remote GW

As you say, the netscreen side is quite straightforward if you wanted to go down the route based VPN and set the encryption domain as  If we could set this to the same on the cisco side, then all will be well.

For the 2 VPN approach, teh netscreen again is quite easy, you create a new autokey ike using the same ike GW from the otehr VPN, just with a different proxy-id (encryption domain) set.

I am not a cisco expert but I would be very surprised if the cisco side DOES NOT cater for multiple VPNs to the same remote GW, just using different local and remote networks.

As for trying to configure the netscreen to have a 2nd VPN coming form a new external IP, I am fairly sure that this cannot be done

I would consider asking the cisco side to confirm the reasoning as to why they cannot have multiple VPNs to the same remote GW which will give us a bit more info to work on for a work around
LVL 71

Assisted Solution

Qlemo earned 800 total points
ID: 33671128
I agree to deimark. It should be possible to have two Phase 2 SAs (for networks, encryption domains, or however you want to call them) using the same Phase 1 SA (VPN gateway). That is one of the reasons why the Phase 1 and Phase 2 definitions are separated, and a major feature of IPSec VPNs.

Author Comment

ID: 33673259
Hi again...

The customer has answered my statements saying that the CISCO avoid to do that becouse it allows to include more that one encryption domain. Is it true?... I'm starting to think if the technicians in the customer site has real knowledge about he is talking about... the problem is that I don't know how the CISCO firewall works...

The questio now is... Do you know if I can find a configuration example for this deployment with CISCO equipments?... I'm sure this proof is that I need to convice the customer...
LVL 18

Expert Comment

ID: 33673724
I think that the cisco guy is not too clued up on his router and is only passing on the info he knows.

As I said before, I would be very surprised if cisco does not allow multiple VPN domains to be bound toa single GW< it seems to be the fundamental area that is covered by all other major (and most minor) players in the VPN market.

With regards to an example config, this does need to go to a cisco bod.  Perhaps an admin can put out a call for more cisco experts to comment.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question