Tunnel Interface instead of crypto map

Unanswered Question
Mar 23rd, 2010

Hi All

Can someone tells me what is the difference between creating site-to-site VPN tunnel with crypto-map and creating site-to-site VPN tunnel with tunnel interface ?

Thank you very much

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Administrateurs... Tue, 03/23/2010 - 10:22

Thank you very much.  For sure it helps.

If I want to use static VTI for a IPSec VPN tunnel between 2 router, but 1 of my router use public static address and the other not (DSL connections)

I wont be able to pu the tunnel destination command.  How should I configure it?

Thanks again

Administrateurs... Tue, 03/23/2010 - 11:08

If I do not want to use Easy VPN.  Can I do it with static VTI.  Or should I switch to Crypto-map ?

Thank you very much for your help.

Administrateurs... Tue, 03/23/2010 - 12:30

We already have a DMVPN configuration in our 300 spokes.  It's a Single cloud dual hub

DMVPN network.  We need to create a separate VPN network infrastructure with those 300

spokes but linked trough 2 remote HQ site.  Those 2 remote site have public static IP, but our spokes use dynamic adressing.

I need something simple.  I check out your examples, but only Easy VPN talks about unknown remote IPs

Here's my concern.

I'll probably use crypto map instead VTI.  What do you think ?

slmansfield Tue, 03/23/2010 - 12:48

What do you see is the advantage of crypto maps over Easy VPN?

If your spoke IP addresses are assigned dynamically, you could use dynamic crypto maps on your hub site, as in this example, but with this legacy setup you lose flexibility.  Avoiding crypto maps reduces problems with the management of a large number of VPN tunnels to your hub site.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

Administrateurs... Wed, 03/24/2010 - 06:25

I know I'll lose flexibility, but our old network works like this, we troubleshoot it for a couple of years.  We know what kind of issue it will probably have.  But not with Easy VPN.  I never used it.

But you convinced me to take a look at Easy VPN.

Administrateurs... Wed, 03/24/2010 - 06:30

which solution has the lower CPU and Memory consumable ? (Easy VPN or Dynamic Crypto map)

Thanks again

slmansfield Wed, 03/24/2010 - 06:39

I understand your reluctance to go to an unfamiliar technology, but I think it is worthwhile to consider Easy VPN unless you are connecting to remote sites that do not have Cisco devices.

Assuming all of your sites use Cisco VPN devices, one problem you may have encountered is that clearing the IPSEC SA's for a specific VPN tunnel does not work.  The only remedy is to remove and replace the crypto map, which impacts all of your other sites.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10

With regards to your question about performance, Easy VPN is a new technology, aimed at improving performance for your applications.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html

Jonn cos Fri, 03/26/2010 - 04:58

"We already have a DMVPN configuration in our 300 spokes.  It's a Single cloud dual hub

DMVPN network.  We need to create a separate VPN network infrastructure with those 300

spokes but linked trough 2 remote HQ site.  Those 2 remote site have public static IP, but our spokes use dynamic adressing."

I didnt quite understand why you need seperate VPN infrastructure ? Personally i dont like using routers as endpoints in easy vpn but thats just me :-). If you can explain why you want to divert from your DMVPN setup or why cant you have dedicated P2P tunnels for 2 sites running NHRP thus solving your problem of dynamic IPs !!

Administrateurs... Fri, 03/26/2010 - 05:21

The main reason is for a specific purpose we can't route this traffic by our hub

infrastructure at all.  We use a phase 2, spoke-to-spoke DMVPN setup.

So we know the first packet will go through the path "spoke-hub-spoke" while the spoke-to-spoke dynamic tunnel commes up.  We also don't want those router to be hub (answer to NHRP request)

If you have a DMVPN setup that routes the packets directly to those router without considering them as hubs I'll be happy.

Thanks a lot

Actions

This Discussion