Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
5
Replies

Pix to Multiple IOS VPN (IOS get IP by DHCP

bob.bartlett
Level 1
Level 1

‎12-28-2005 07:27 AM

I have a central Pix and 3 sites that are expanding to 10 I want to have Spoke to Spoke communication. The PIX is running 7.0. Since the Pix doesn't support DMVPN how can I enable Spoke to Spoke effectively since the Spokes are doing DHCP for their outside interface address. I see lots of examples where for static tunnels but none for dynamic crypto maps.

Labels:
0 Helpful
5 Replies 5

rchicks
Level 4
Level 4

‎12-28-2005 09:12 AM

You are correct about the spoke to spoke limitations in your current design. The two ways around this issue is to move your VPN to something that can do this (Such as a VPN concentrator, or IOS router), or implement a full mesh topology). The problem with a full mess topology, is your dynamic IPs. For IPSec to work, it has to negotiate tunnel settings, etc. The router has to have some way of knowing what the other end of the tunnel is. For this reason you must have one end of the tunnel have a static IP (Likely the reason you were doing a hub and spoke architecture anyway).

Unfortunately, I don't see any way around changing your VPN device at the central site to something other than a PIX.

0 Helpful

johansens
Level 4
Level 4

‎12-29-2005 02:43 AM

You could setup a mix of ezVPN (for the spoke-hub traffic) and static tunnels (for the spoke-spoke traffic) where the static tunnels use Real-Time Resolution for IPSec Peers:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b05.html

You should take care to let the DNS-resolution be done by you central DNS-server (maybe using the dyndns-faeture of the IOs-routers) to avoid any spoofing/hijacking attempts..:

http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a00804461ba.html#wp1105531

Did it help?

0 Helpful

bob.bartlett
Level 1
Level 1
In response to johansens

‎01-04-2006 02:40 AM

So am I correct in thinking that I can have the IOS routers register in DNS using DDNS and then have the PIX resolve their IP address from DNS as a way to get around the non static IP addresses?

0 Helpful

rchicks
Level 4
Level 4
In response to bob.bartlett

‎01-04-2006 05:29 AM

From the PIX perspective, nothing would change, hub and spoke only. But it sounds like with the prior hyperlinks, you could set up a FULL MESH of tunnels between all your remote routers to accomplish what you are looking for with a combination of dynamic dns, and dynamic resolution of peers as previously posted.

You take care with this solution, as each time you add a remote you must modify the configs of every remote and the central site to keep spoke to spoke communications working. Full mesh topologies require lots of management overhead.

0 Helpful

johansens
Level 4
Level 4
In response to bob.bartlett

‎01-05-2006 01:15 AM

Hi again,

The hub-spoke traffic will not change, it will still be using easy VPN which will always be initiated by the remote sites to get into your PIX.

The spoke-spoke traffic will be a full mesh setup where every router then has 9 tunnels configured, one to each of the other spokes (a total of 10 spokes which you mentioned). You should at least run a routing-protocol over this of course.

The PIX will never do any resolving (as it doesn't have the option to do this in this context yet).

Did it help? If so, please rate the relevant posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents