03-23-2010 07:19 AM
Hi All
Can someone tells me what is the difference between creating site-to-site VPN tunnel with crypto-map and creating site-to-site VPN tunnel with tunnel interface ?
Thank you very much
03-23-2010 09:08 AM
The use of a Virtual Tunnel Interface provides greater ease of deployment and more flexibility at layer 3 with a routable interface. Here is a document explaining the virtues of VTIs. HTH
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.pdf
03-23-2010 10:22 AM
Thank you very much. For sure it helps.
If I want to use static VTI for a IPSec VPN tunnel between 2 router, but 1 of my router use public static address and the other not (DSL connections)
I wont be able to pu the tunnel destination command. How should I configure it?
Thanks again
03-23-2010 10:55 AM
Here's an example of using Easy VPN with IPSEC DVTIs. The remote router gets its outside address via DHCP. HTH
03-23-2010 11:08 AM
If I do not want to use Easy VPN. Can I do it with static VTI. Or should I switch to Crypto-map ?
Thank you very much for your help.
03-23-2010 11:38 AM
Here are some other examples of using static and dynamic VTI's.
You could also use DMVPN, which in this example shows a spoke site using DHCP to assign its outside address.
http://www.cisco.com/application/pdf/paws/41940/dmvpn.pdf
HTH
03-23-2010 12:30 PM
We already have a DMVPN configuration in our 300 spokes. It's a Single cloud dual hub
DMVPN network. We need to create a separate VPN network infrastructure with those 300
spokes but linked trough 2 remote HQ site. Those 2 remote site have public static IP, but our spokes use dynamic adressing.
I need something simple. I check out your examples, but only Easy VPN talks about unknown remote IPs
Here's my concern.
I'll probably use crypto map instead VTI. What do you think ?
03-23-2010 12:48 PM
What do you see is the advantage of crypto maps over Easy VPN?
If your spoke IP addresses are assigned dynamically, you could use dynamic crypto maps on your hub site, as in this example, but with this legacy setup you lose flexibility. Avoiding crypto maps reduces problems with the management of a large number of VPN tunnels to your hub site.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
03-24-2010 06:25 AM
I know I'll lose flexibility, but our old network works like this, we troubleshoot it for a couple of years. We know what kind of issue it will probably have. But not with Easy VPN. I never used it.
But you convinced me to take a look at Easy VPN.
03-24-2010 06:30 AM
which solution has the lower CPU and Memory consumable ? (Easy VPN or Dynamic Crypto map)
Thanks again
03-24-2010 06:39 AM
I understand your reluctance to go to an unfamiliar technology, but I think it is worthwhile to consider Easy VPN unless you are connecting to remote sites that do not have Cisco devices.
Assuming all of your sites use Cisco VPN devices, one problem you may have encountered is that clearing the IPSEC SA's for a specific VPN tunnel does not work. The only remedy is to remove and replace the crypto map, which impacts all of your other sites.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
With regards to your question about performance, Easy VPN is a new technology, aimed at improving performance for your applications.
03-26-2010 04:58 AM
"We already have a DMVPN configuration in our 300 spokes. It's a Single cloud dual hub
DMVPN network. We need to create a separate VPN network infrastructure with those 300
spokes but linked trough 2 remote HQ site. Those 2 remote site have public static IP, but our spokes use dynamic adressing."
I didnt quite understand why you need seperate VPN infrastructure ? Personally i dont like using routers as endpoints in easy vpn but thats just me :-). If you can explain why you want to divert from your DMVPN setup or why cant you have dedicated P2P tunnels for 2 sites running NHRP thus solving your problem of dynamic IPs !!
03-26-2010 05:21 AM
The main reason is for a specific purpose we can't route this traffic by our hub
infrastructure at all. We use a phase 2, spoke-to-spoke DMVPN setup.
So we know the first packet will go through the path "spoke-hub-spoke" while the spoke-to-spoke dynamic tunnel commes up. We also don't want those router to be hub (answer to NHRP request)
If you have a DMVPN setup that routes the packets directly to those router without considering them as hubs I'll be happy.
Thanks a lot
03-26-2010 06:38 AM
Have you looked at the phase 3 enhancements to DMVPN? Spoke-to-spoke traffic does not go through the hub. HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: