Overview

Multiple tunnels can be created for Umbrella SIG even from the same location.

For devices that support FQDN VPN ID:

Multiple tunnels can be created behind the same egress IP if "User FQDN" VPN ID is used to identify the tunnel. 

• Configure the Network tunnels using the 'Other' profile in (Deployments > Network Tunnels) in Umbrella. 
• This allows you to optional configure an FQDN to be used as the Tunnel ID, instead of IP address.
• Reconfigure your device to use the configured "User FQDN" peer ID. (eg. site1@12345678-987654321-umbrella.com)

The tunnels can optionally terminate at the same Umbrella DC.  For instance, if the tunnel ID are site1@12345678-987654321-umbrella.com and site2@12345678-987654322-umbrella.com. They can terminate on the same head-end.

ASA 9.17 Firmware

The latest Cisco ASA version(s) include the ability to use "User FQDN" as the peer ID and therefore multiple tunnels can be created from the same location if desired.  

crypto ipsec profile umbrella
 set ikev2 ipsec-proposal umbrella-ipsec-proposal
 set ikev2 local-identity site1@12345678-987654321-umbrella.com

For ASA/FTD:

The IP address is used as a unique VPN Peer ID for the tunnel.  You must utilize different egress IPs for each tunnel.  You can terminate both tunnels to the same Umbrella DC if desired.