DMVPN, redundant hub routers, design questions

Unanswered Question
Oct 4th, 2007


I am planning on making our small offic vpn solution more redundant by adding a second hub router to our DMVPN solution. There are about 100 spoke routers, and there will be 2 hub routers, both located in one of our datacenters.

I have some questions around the detailed config for this (we will use EIGRP routing protocol).

Most important question is weither or not to use ISAKMP profiles with the crypto keyring commands for the pre-shared keys, or just choosing different tunnel-id, different subnet and tunnel key for each tunnel (each spoke will have two tunnel configs ofcourse).

What are the pros and cons of crypto keyring, when to use it?

Second question is about EIGRP over DMVPN (in case of two hub routers). What is the best way to force trafic to prefer one hub router as the main path?

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
patrick.preuss Fri, 10/05/2007 - 04:27


i would suggest not to use tunnel keys

we have experienced that not all equiptment will do gre in hardware if you use tunnel keys.

second you might want use a pki, you can host this also on ios hardware.

you might want to have a look at the ECT Design:

might help with you problem.



l.mourits Fri, 10/05/2007 - 10:31

no tunnel key with GRE????

ehm, that would not adhere to the DMVPN solution. Or do you mean the preshared keys for IPSec? In that I agree it would be better to have PKI but since there is only 100 spokes at this point this is not considered an issue for now.

What I need to know s when is it needed to use crypto keyring for DMVPN solution. Anybody who can shine a light there?

Thanks in advance,



This Discussion