I would imagine as the amount of sites increases the L2L VPN setup might get complicated simply by the amount of configurations.
I guess the only other option with the ASA firewalls in use is the use of EasyVPN. The hub site would use a Remote Access configuration for all the different sites to connect to it. To my understanding though the only device model supported as a Remote Site Hardware Client would be ASA5505.
Sadly I have not dealt much with the Cisco IOS VPN solutions but as I understand Dynamic Multipoint VPN would be the most suitable choice when considering a network with multiple sites and traffic between those sites. Naturally this would mean that you would have to change the hardware and I got the picture that this might not be possible because of cost? ASA doesnt support anything else than L2L VPN and EasyVPN that you can use to connect sites together.
I am sure that someone else can better inform you about the DMVPN and other Cisco IOS related VPN solutions.
Jouni is correct that the most scaleable solution is the DMVPN. once the Hub is setup then you only need to configure the spokes. This will also allow for tunnels to be dynamically configured between the spoke sites if you like.
As for continuing using the ASAs, then again as Jouni has mentioned we are stuck with L2L VPN and EasyVPN. I have never really liked EasyVPN so my preference would lean toward L2L...but to each his own.
Please remember to rate and select a correct answer
To add to excellent info provided by the folks above.
Problem with policy-based VPN (crypto maps in Cisco world) is that you need to establish your traffic selectors explicitly.
i.e. you need to know what traffic is or is not interested for encryption.
VTI solution (which ASA does not support) is route-based VPN, i.e. it allows you to run IPv4 or IPv6 over IPsec and chose traffic for encryption based on routing.
The second type is what make sense to most people and is increasingly more popular, however crypto maps are essentially what is deployed the most and offer best inter-operability (debated by some).
In case of hub and spoke type of deployments on ASA you need to typically look into "local subnet to any" traffic selectors (on spokes) if you want to worry least about adding new subents sites and want to accmodate connectivity between sites over cental VPN.
As Jouni mentions we typically recommend DMVPN or FlexVPN in situations like this, for a simple reason, those solutions are route-based and support dynamic on-demand, direct, spoke to spoke tunnels. Which allow you to reach a better performance and scalability.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...