DMVPN encryption High CPU

Unanswered Question
May 23rd, 2010
User Badges:

Hi,


We use Cisco 3725 for both hub and spoke routers. We are using static routing for now as a temp sollution. IOS ver is C3725-ADVSECURITYK9-M), Version 12.4(7c).


We want keep our DMVPN setup but lower the encryption on all routers as it is causing some with high CPU on software encryptions. Current use of the tunnels is VOIP traffic and sometimes file transfer. Since we are not upgrading to a 3800 using AIM modules, I would like to lower the encryption or if possible remove it all together.


Any tips on what I should use to have abit of safety but not too much that may raise the router resource? The main purpose use of the tunnels are to keep the config a small as possible and VOIP.


Below is our HUB and SPOKES config:


HUB

crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set private esp-3des esp-md5-hmac
!
crypto ipsec profile cisco4eva
set transform-set private
!
interface Tunnel0
description DMVPN_HUB
ip address 172.1.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 1
no clns route-cache
tunnel source FastEthernet2/0
tunnel mode gre multipoint
tunnel key 69
tunnel protection ipsec profile cisco4eva

!

interface FastEthernet2/0

description INTERNET

========================================================

SPOKES

crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set private esp-3des esp-md5-hmac
!
crypto ipsec profile cisco4eva
set transform-set private
!
interface Tunnel1
description DMVPN_SPOKE
ip address 172.1.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication test
ip nhrp map 172.1.1.1 X.X.X.X
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.1.1.1
ip nhrp registration no-unique
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 69
tunnel protection ipsec profile cisco4eva

!

interface FastEthernet0/0

description INTERNET



Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Sun, 05/23/2010 - 23:08
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

I presume the 3725 does not have an encryption module?

Peter Valdes Sun, 05/23/2010 - 23:37
User Badges:

Hi leolaohoo,


Yes, we do not have it on our 3725. We are going to upgrade to a 3825 for the purpose of having wireless and IP camera NMEs but won't be done until next year.


Thanks

Leo Laohoo Mon, 05/24/2010 - 15:11
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

And what bandwidth do you have?

Actions

This Discussion