Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
3
Helpful
3
Replies

Should I use DMVPN/certificates?

kirkster
Level 3
Level 3

‎05-09-2006 08:30 AM - edited ‎02-21-2020 02:24 PM

Guys,

I have a current customer network of 3660 VPN routers at the head end with numerous (30 or so) 1800 and 2600 spokes. This uses pre shared keys. The only traffic is spoke to hub, there is no requirement for spoke to spoke. All spokes have static IP addresses. This solution works great and has been running well for three years. However, the customer requires more encryption throughput. The network is to change to a 6500 with VPN module in the core and 3845 VPN routers as the spokes (a few 7200's with VAM2+ as well).

I have been reading cco pages about certificates and DMVPN. This looks like a great potential solution, though I have never configured this before. However, I think I may be making the solution overly complex for only 30 routers in this simple scenario. What would you guys recommend here? Anyone done this with fewer routers? Any certificates would have to be done on the 6500 IOS CA system. Any comments on this as a CA solution?

I have a week "play" time with this in pre staging lab before it goes live.

Much appreciate any feedback...

Steve

Labels:
0 Helpful
3 Replies 3

kirkster
Level 3
Level 3

‎05-09-2006 08:44 AM

Hi again !!

I should add that 20 of the 30 sites are very small sites of five or so users but five sites (with the 7200) have 500 users. If not DMVPN I was perhaps thinking of static IPSec maps to the main sites and EZVPN to the small ones.

Sound sensible....?????

Steve

0 Helpful

martindesrosiers
Level 1
Level 1

‎07-03-2006 07:19 AM

If you have Spoke static IP address and you don't need spoke to spoke traffic, you better configure static tunnel with certificate.

0 Helpful

hemendoz
Cisco Employee
Cisco Employee

‎07-03-2006 06:41 PM

Hello Steve,

IMHO, the power of DMVPN is realized until you have at least 50+ sites and require spoke-to-spoke communication. You'd probably be better off with static crypto maps. As far as PSK vs. Digital Certs, obviously Digital Certs are more secure. It just becomes a question about manageability. PSK would be fine as well.

Hope that helps! If so, please rate.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents