We have recently moved encryption to the Application Layer of our network, this was a business requirement for other reasons. But from the network department we see this as an opportunity to increase the scalablity and longevity of our routers.
We are currently running a DMVPN network with approximately 800 spoke nodes, the majority being c871s. We would like to migrate the DMVPN to plain old mGRE, as the encryption is no longer a requirement of the Network Layer. This however doesn't seem like an easy task. I am trying to investigate the different options available to me complete this migration. For some reason I thought there was a way to make the encryption in DMVPN optional, such that I could make the hubs optional then migrate the spokes, however this is contingent on encryption being optional. If not the only way I can see accomplishing this is creating a new NHRP hub and migrating the spokes to this new hub one by one.
I'm all ears if someone could validate the "optional" option, or if there is a third or fourth option.
So, you need the tunneling but not the encryption at L3. In an DMVPN environment, normally IPsec provides the encryption while GRE provides the tunneling.
This is why you're considering plain-old GRE tunnels (without encryption)
Now, the main purpose of IPsec is encryption. You can disable encryption for phase 2 on the transform set, but you can't have a policy for phase 1 for IPsec without encryption (you need to choose between DES, 3DES or AES)
If your final goal is to remove encryption at the network layer and leave only the tunnel, I see only the GRE option (unfortunately this option is manual and not very flexible). The problem here is that if we involve IPsec, it means encryption at L3 (at least for phase 1).
If you are not interested with Federico option based on esp-null option in the transform-set, you can create another mGRE tunnel on the hub with a new IP addressing plan and then migrate your spokes to this new cloud. It will be very smooth assuming you are already using an IGP in your encrypted tunnels.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :