12-28-2005 07:27 AM
I have a central Pix and 3 sites that are expanding to 10 I want to have Spoke to Spoke communication. The PIX is running 7.0. Since the Pix doesn't support DMVPN how can I enable Spoke to Spoke effectively since the Spokes are doing DHCP for their outside interface address. I see lots of examples where for static tunnels but none for dynamic crypto maps.
12-28-2005 09:12 AM
You are correct about the spoke to spoke limitations in your current design. The two ways around this issue is to move your VPN to something that can do this (Such as a VPN concentrator, or IOS router), or implement a full mesh topology). The problem with a full mess topology, is your dynamic IPs. For IPSec to work, it has to negotiate tunnel settings, etc. The router has to have some way of knowing what the other end of the tunnel is. For this reason you must have one end of the tunnel have a static IP (Likely the reason you were doing a hub and spoke architecture anyway).
Unfortunately, I don't see any way around changing your VPN device at the central site to something other than a PIX.
12-29-2005 02:43 AM
You could setup a mix of ezVPN (for the spoke-hub traffic) and static tunnels (for the spoke-spoke traffic) where the static tunnels use Real-Time Resolution for IPSec Peers:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b05.html
You should take care to let the DNS-resolution be done by you central DNS-server (maybe using the dyndns-faeture of the IOs-routers) to avoid any spoofing/hijacking attempts..:
Did it help?
01-04-2006 02:40 AM
So am I correct in thinking that I can have the IOS routers register in DNS using DDNS and then have the PIX resolve their IP address from DNS as a way to get around the non static IP addresses?
01-04-2006 05:29 AM
From the PIX perspective, nothing would change, hub and spoke only. But it sounds like with the prior hyperlinks, you could set up a FULL MESH of tunnels between all your remote routers to accomplish what you are looking for with a combination of dynamic dns, and dynamic resolution of peers as previously posted.
You take care with this solution, as each time you add a remote you must modify the configs of every remote and the central site to keep spoke to spoke communications working. Full mesh topologies require lots of management overhead.
01-05-2006 01:15 AM
Hi again,
The hub-spoke traffic will not change, it will still be using easy VPN which will always be initiated by the remote sites to get into your PIX.
The spoke-spoke traffic will be a full mesh setup where every router then has 9 tunnels configured, one to each of the other spokes (a total of 10 spokes which you mentioned). You should at least run a routing-protocol over this of course.
The PIX will never do any resolving (as it doesn't have the option to do this in this context yet).
Did it help? If so, please rate the relevant posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: