03-05-2004 03:59 PM
I have a Hub and spok environement using pixes as vpn tunnel end points where I would be adding spokes dynamically. I cannot afford any downtime for the existing vpn tunnels. With Lan-to-Lan when ever I add new sites I have to reapply crypto map on the interface which will bring all my tunnels down.
I was thinking of using EZvpn in network exension mode to ovecome this problem.
When I add sites dynamically all I have to do is add new vpngroup with split tunnelling. I don't think I have to remove the crypto map on the interface and reaplly it back. Can anyone confirm
03-08-2004 12:54 PM
EazyVPN is perfect solution, but only if you have one subnet per site. I have implement PIX EazyVPN solution with about 30 PIXes 6.2.x (spokes). One in the center.
Possible problems:
EazyVPN can anounce only one proteced subnet, for dinamyc cryptomaps.
Central PIX do not allow spoke-to-spoke traffic to be routed trougt central PIX EazyVPN Server. This is PIX restriction by design. So i place IOS router to the center.
Half a year - no calls from the customer.
03-09-2004 01:37 PM
edited post..........
I think EzVPN is the best solution under your circumstances
"I have a Hub and spok environement using pixes as vpn tunnel end points where I would be adding spokes dynamically"
I was going to suggest using Dynamic Multipoint VPN, but I reread your post (you are running PIX's as tunnel endpoints)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: