terminating IPSec vpn on multiple interfaces

I have a company that is needing to do this as well. Today, my associate got some bad support from a Cisco TAC person in the manner of rudeness and they were not very helpful. Enough of that... We have a single ASA 5510 w/o Security Plus License and we need to terminate IPSEC on the second interface for RA clients. It's workable when we know where they are coming from (IP Wise) but RA clients are pretty much dynamic so putting in a route for them is an admin nightmare. I have this working at another client site with a static endpoint for a L2L IPSEC connection. My question is, how do I dynamically add routes based on the interface in which the traffic was initiated by the RA clients? The RA client will work just fine if I put a route for my outside IP address to use the second connections default gateway address. Any Ideas?

look up IPSEC reverse route injection

Would this apply to site-to-site ipsec terminated on multiple interfaces?

no

for your question I would think you would just configure a different crypto map for each outsideinterface

Its strange though. I tried it and I can ping the remote site usig the second interface, but no tunnel gets created. Any ideas?

As far as I know there is no chance to reach the same pubblic ip address through two different interfaces on asa. If you want to have two different tunnels to a remote site you may try to terminate the two tunnels to two different ip addresses (if the remote is an ios device you can use loopbacks) and manually route one of the two to the second interface on the asa. Bye, Tosh.

to OP - are you truing to have parallel tunnels from each remote site to the central site with each tunnel landing on a different interfaces on the central site ASA ???

Yes. Each interface on the central PIX uses a different carrier. Is it doable? The interfaces have different security levels.

it does not look like this is possible

see Cisco TAC tech note K03526513

it might be possible if you will able to get multiple (i.e. 3) unique IP addresses for each of the remote sites

Is the purpose redundancy or bandwidth aggregation or different security contexts? If it is different security contexts, is there some way in which they are easily distinguishable such as distinct subnets? Or are you trying to do role-based security?

If redundancy then using the ASA OSPF support might be the solution. If you are trying to run multiple security contexts, then the ease of doing so will depend upon the ease of seperating them into distinct subnets.

If you can arrange so that at site B, the hosts at A are addressed through different IP address ranges for the different security contexts, then even if some of the destinations end up at the same physical hosts at A, then you can do what you want, because you can nat the outgoing traffic at B to tag it with different source IP address ranges depending on which of the contexts at A was being addressed; when the host at A replies, the reply will automagically go back to the right interface at A because that will be the only interface that routes to that peculiar address range. The packets would then get de-nat'd at B back into the correct internal host IP at B.

With a little help of a downstream router to the asa maybe it's simpler to run gre over ipsec, this way you have not to play with nat and you can even rely on eigrp or ospf. Bye, Tosh.