Cisco Support Community
Community Member

Cisco IPSec VPN tunnel redesign using DMVPN

I am looking to redesign my current VPN architecture to take advantage of the new DMVPN features. I currently have a hub/spoke design with Cisco 1710 routers as the spokes and a Cisco 3005 VPN Concentrator as the hub.

My first question would be what hardware should I look to purchase for the hub, assuming that the 3005 does not support DMVPN features.

Also, I’ve always thought of allowing dynamic addresses to initiate VPN tunnels as a bit of a security risk since someone would only have to guess the isakmp key to impersonate a spoke and initiate a tunnel. Can anyone suggest/explain how to combat this if you implement DMVPN? Should the hub device just be in your DMZ and you rely on ACLs at your PIX to limit this threat from getting into your intranet?

Any assistance and/or personal experiences would be greatly appreciated.

Justin Loucks

Network Engineer

Cardinal Logistics Management

Community Member

Re: Cisco IPSec VPN tunnel redesign using DMVPN

There is a tool called the feature navigator on This tool will help you make a choice based on device, IOS version or features. I guess you should give it a try. Broadly however, I think DVMRP was introduced in 12.2(13)T and is supported on platforms supporting the same.

Community Member

Re: Cisco IPSec VPN tunnel redesign using DMVPN

We currently use several IOS boxes, 26 / 36 / 71 / 72xx's, with IOS GRE in IPSec. Security is provided by the following:

Access List

No split tunneling/default route

Default route on the "inside" of the network, stateful

rotating key encryption, PFS

regular changing of the ISAKMP keys

Physical security of the routers

As I see DMVPN (we set up a test configuration in our lab), yes, you are authenticating based on ISAKMP. Preshared keys alone are not enough to pass our audit standards, so we go the extra distance to secure the VPN network.

There are a number of benefits to a GRE/IPSec combination solution for a VPN network though, enough in our case to outweigh the additional work that it takes to maintain the configuration.

When we looked at NHRP/DMVPN, we decided to stay with our current static GRE/IPSec, and add GRE keepalive.

CreatePlease to create content