Tunnel Interface instead of crypto map

Unanswered Question
Mar 23rd, 2010
User Badges:

Hi All


Can someone tells me what is the difference between creating site-to-site VPN tunnel with crypto-map and creating site-to-site VPN tunnel with tunnel interface ?


Thank you very much

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Administrateurs... Tue, 03/23/2010 - 10:22
User Badges:

Thank you very much.  For sure it helps.


If I want to use static VTI for a IPSec VPN tunnel between 2 router, but 1 of my router use public static address and the other not (DSL connections)


I wont be able to pu the tunnel destination command.  How should I configure it?


Thanks again

Administrateurs... Tue, 03/23/2010 - 11:08
User Badges:

If I do not want to use Easy VPN.  Can I do it with static VTI.  Or should I switch to Crypto-map ?


Thank you very much for your help.

slmansfield Tue, 03/23/2010 - 11:38
User Badges:
  • Silver, 250 points or more

Here are some other examples of using static and dynamic VTI's.


http://www.cisco.com/en/US/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_xe.pdf


You could also use DMVPN, which in this example shows a spoke site using DHCP to assign its outside address.


http://www.cisco.com/application/pdf/paws/41940/dmvpn.pdf


HTH

Administrateurs... Tue, 03/23/2010 - 12:30
User Badges:

We already have a DMVPN configuration in our 300 spokes.  It's a Single cloud dual hub

DMVPN network.  We need to create a separate VPN network infrastructure with those 300

spokes but linked trough 2 remote HQ site.  Those 2 remote site have public static IP, but our spokes use dynamic adressing.


I need something simple.  I check out your examples, but only Easy VPN talks about unknown remote IPs


Here's my concern.


I'll probably use crypto map instead VTI.  What do you think ?

slmansfield Tue, 03/23/2010 - 12:48
User Badges:
  • Silver, 250 points or more

What do you see is the advantage of crypto maps over Easy VPN?


If your spoke IP addresses are assigned dynamically, you could use dynamic crypto maps on your hub site, as in this example, but with this legacy setup you lose flexibility.  Avoiding crypto maps reduces problems with the management of a large number of VPN tunnels to your hub site.


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

Administrateurs... Wed, 03/24/2010 - 06:25
User Badges:

I know I'll lose flexibility, but our old network works like this, we troubleshoot it for a couple of years.  We know what kind of issue it will probably have.  But not with Easy VPN.  I never used it.


But you convinced me to take a look at Easy VPN.

Administrateurs... Wed, 03/24/2010 - 06:30
User Badges:

which solution has the lower CPU and Memory consumable ? (Easy VPN or Dynamic Crypto map)


Thanks again

slmansfield Wed, 03/24/2010 - 06:39
User Badges:
  • Silver, 250 points or more

I understand your reluctance to go to an unfamiliar technology, but I think it is worthwhile to consider Easy VPN unless you are connecting to remote sites that do not have Cisco devices.


Assuming all of your sites use Cisco VPN devices, one problem you may have encountered is that clearing the IPSEC SA's for a specific VPN tunnel does not work.  The only remedy is to remove and replace the crypto map, which impacts all of your other sites.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10


With regards to your question about performance, Easy VPN is a new technology, aimed at improving performance for your applications.


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html

Jonn cos Fri, 03/26/2010 - 04:58
User Badges:

"We already have a DMVPN configuration in our 300 spokes.  It's a Single cloud dual hub

DMVPN network.  We need to create a separate VPN network infrastructure with those 300

spokes but linked trough 2 remote HQ site.  Those 2 remote site have public static IP, but our spokes use dynamic adressing."


I didnt quite understand why you need seperate VPN infrastructure ? Personally i dont like using routers as endpoints in easy vpn but thats just me :-). If you can explain why you want to divert from your DMVPN setup or why cant you have dedicated P2P tunnels for 2 sites running NHRP thus solving your problem of dynamic IPs !!

Administrateurs... Fri, 03/26/2010 - 05:21
User Badges:

The main reason is for a specific purpose we can't route this traffic by our hub

infrastructure at all.  We use a phase 2, spoke-to-spoke DMVPN setup.

So we know the first packet will go through the path "spoke-hub-spoke" while the spoke-to-spoke dynamic tunnel commes up.  We also don't want those router to be hub (answer to NHRP request)


If you have a DMVPN setup that routes the packets directly to those router without considering them as hubs I'll be happy.


Thanks a lot

Actions

This Discussion