Dynamic Multipoint VPN

Unanswered Question
May 4th, 2009

Is ASA device has the ability to provideDynamic Multipoint VPN so that the topology of the network will be like hop and spoke , instead of adding anew site to each device manually .

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vmoopeung Fri, 05/08/2009 - 10:39

You can able to configure DMVPN in ASA for hub and spoke topology. Dynamic Multipoint VPN (DMVPN) enables better scaling of large and small IPsec VPNs by combining generic routing encapsulation (GRE) tunnels, IP Security (IPsec) encryption, and Next Hop Resolution Protocol (NHRP) routing. In a hub-and-spoke VPN topology, each spoke has a permanent IPsec tunnel to the hub, but not to the other spokes within the topology. Using NHRP, the hub maintains an NHRP database of the public interface addresses of all the spokes (the clients). Each spoke registers its real address with the hub when it boots. When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the VPN address of the destination spoke. After the source spoke learns the peer address of the target spoke, it initiates a dynamic IPsec tunnel to the target spoke.


srue Fri, 05/08/2009 - 11:39

DMVPN is not supported on ASA's. Although you can pass DMVPN *through* the ASA - which is not the same thing.


This Discussion