cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1019
Views
0
Helpful
3
Replies

DMVPN encryption High CPU

Peter Valdes
Level 3
Level 3

Hi,

We use Cisco 3725 for both hub and spoke routers. We are using static routing for now as a temp sollution. IOS ver is C3725-ADVSECURITYK9-M), Version 12.4(7c).

We want keep our DMVPN setup but lower the encryption on all routers as it is causing some with high CPU on software encryptions. Current use of the tunnels is VOIP traffic and sometimes file transfer. Since we are not upgrading to a 3800 using AIM modules, I would like to lower the encryption or if possible remove it all together.

Any tips on what I should use to have abit of safety but not too much that may raise the router resource? The main purpose use of the tunnels are to keep the config a small as possible and VOIP.

Below is our HUB and SPOKES config:

HUB

crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set private esp-3des esp-md5-hmac
!
crypto ipsec profile cisco4eva
set transform-set private
!
interface Tunnel0
description DMVPN_HUB
ip address 172.1.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 1
no clns route-cache
tunnel source FastEthernet2/0
tunnel mode gre multipoint
tunnel key 69
tunnel protection ipsec profile cisco4eva

!

interface FastEthernet2/0

description INTERNET

========================================================

SPOKES

crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set private esp-3des esp-md5-hmac
!
crypto ipsec profile cisco4eva
set transform-set private
!
interface Tunnel1
description DMVPN_SPOKE
ip address 172.1.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication test
ip nhrp map 172.1.1.1 X.X.X.X
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.1.1.1
ip nhrp registration no-unique
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 69
tunnel protection ipsec profile cisco4eva

!

interface FastEthernet0/0

description INTERNET

Thanks

3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame

I presume the 3725 does not have an encryption module?

Hi leolaohoo,

Yes, we do not have it on our 3725. We are going to upgrade to a 3825 for the purpose of having wireless and IP camera NMEs but won't be done until next year.

Thanks

And what bandwidth do you have?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: