I am new to DMVPN's, have been doing IPSec on PIX and Routers for some time though.
In the DMVPN world, can you build it on a PIX?
Can you have a DMVPN tunnel and seperte crypto map IPSec tunnels on the same device?
For example. We have customers who have point to point IPSec VPN's. I do not want them to be able to communicate to other customers, their traffic must remain ignorant to any other traffic. However, we have remote offices that do need to communicate with each other and the DMVPN product seems to help with that solution, rather build a tunnel between the two with one config rather 2 seperate crypto maps with IPSec tunnels set up.
No, dmvpn uses nhrp and an ipsec profile on a tunnel interface. the pix has no concept of dmvpn, which by definition provides on the fly dynamic spoke-to-spoke tunnels.
>Can you have a DMVPN tunnel and seperte >crypto map IPSec tunnels on the same device?
Absolutely. On an IOS router this is quite common. DMVPN on via an ipsec profile applied on the tunnel interface, yet a static crypto-map on another physical/virtual interface.
For your customers to hub connections ->
I believe the best solution to your issue is GRE over IPSEC. This will allow you to run dynamic routing over gre tunnels, which are themselves encrypted inside ipsec/esp (tunnel-mode) packets between endpoint's public ip addresses. You can then use any common route-filter method (distribution lists, prefix-lists, etc.) to filter routes learned between vpn endpoints.
for your remote offices ->
If you have remote offices than do need to communicate directly to each other, with out transiting a hub site, i recommend you look into the 871/1841 series routers and configuring dmvpn. You can then have them also on a dmvpn back to the corporate hub or hubs. its common with DMVPN to have 2 hub routers for redundancy.
I have been building tunnels for several years and very familiar with the crypto maps, routing, and acl's to make this all happen on the PIX. The place I am now uses DMVPN's and this is new to me. There are some applications I see great use for, then others I am not sure what they are doing and why other than this is what someone told them to do.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :