The DMVPN documentation says that IPSec must be used with DMVPN. Yet the older mGRE IOS feature does offer non-dynamic mGRE without the IPSec layer.
Is there a way to create dynamic (NHRP) mGRE networks without including the IPSec layer that seems to be bundled with the DMVPN feature? Does DMVPN actually work without IPSec? If not, is anything planned in future IOS?
NHRP has been in IOS for some time. I'm not aware of any IPSec requirement to get NHRP to work.
IPSec would be required to encrypt the GRE tunnels. It doesn't have any other purpose that I'm aware of. DMVPN's "new" function is the dynamic nature of IPSec being used in combination with NHRP. Dynamic ISAKMP/IPSec + NHRP = new marketing term DMVPN. Very cool idea for those organizations that can use it.
1. Yes, you can do NHRP/GRE multipoint in older SW releases, it works fine.
2. Yes, you can do IPSec wiith NHRP/GRE in older software releases using Tunnel Endpoint Discovery. It works fine too.
3. The newer DMVPN IOS releases get away from the need to apply a crypto map to both the tunnel interface and the physical interface. This is a big deal if you want to do say, VPN RAS to the same router.
4. Other improvements in the DMVPN releases are to do with NHS registrations. These were notoriously unreliable in earlier versions, meaning that you couldn't really rely on a site with a dynamically assigned address registering with the NHS and this information then being distributed in a timely manner.
5. Problems with IPSec/GRE multipoint vs standard hard-coded IPSec include that there is no way of determining that encapsulated traffic has come from the correct peer on the VPN mesh, as this is accomplished by virtue of routing within the GRE mesh. Some of us are waiting for enhancements to GRE or RPF so that traffic arriving on the MGRE interface can be confirmed as coming from the correct VPN peer, not just any of them
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...