I have a central Pix and 3 sites that are expanding to 10 I want to have Spoke to Spoke communication. The PIX is running 7.0. Since the Pix doesn't support DMVPN how can I enable Spoke to Spoke effectively since the Spokes are doing DHCP for their outside interface address. I see lots of examples where for static tunnels but none for dynamic crypto maps.
You are correct about the spoke to spoke limitations in your current design. The two ways around this issue is to move your VPN to something that can do this (Such as a VPN concentrator, or IOS router), or implement a full mesh topology). The problem with a full mess topology, is your dynamic IPs. For IPSec to work, it has to negotiate tunnel settings, etc. The router has to have some way of knowing what the other end of the tunnel is. For this reason you must have one end of the tunnel have a static IP (Likely the reason you were doing a hub and spoke architecture anyway).
Unfortunately, I don't see any way around changing your VPN device at the central site to something other than a PIX.
From the PIX perspective, nothing would change, hub and spoke only. But it sounds like with the prior hyperlinks, you could set up a FULL MESH of tunnels between all your remote routers to accomplish what you are looking for with a combination of dynamic dns, and dynamic resolution of peers as previously posted.
You take care with this solution, as each time you add a remote you must modify the configs of every remote and the central site to keep spoke to spoke communications working. Full mesh topologies require lots of management overhead.
The hub-spoke traffic will not change, it will still be using easy VPN which will always be initiated by the remote sites to get into your PIX.
The spoke-spoke traffic will be a full mesh setup where every router then has 9 tunnels configured, one to each of the other spokes (a total of 10 spokes which you mentioned). You should at least run a routing-protocol over this of course.
The PIX will never do any resolving (as it doesn't have the option to do this in this context yet).
Did it help? If so, please rate the relevant posts.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :