Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Tunnel Interface instead of crypto map

Hi All

Can someone tells me what is the difference between creating site-to-site VPN tunnel with crypto-map and creating site-to-site VPN tunnel with tunnel interface ?

Thank you very much

13 REPLIES
Silver

Re: Tunnel Interface instead of crypto map

The use of a Virtual Tunnel Interface provides greater ease of deployment and more flexibility at layer 3 with a routable interface.  Here is a document explaining the virtues of VTIs.  HTH

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.pdf

New Member

Re: Tunnel Interface instead of crypto map

Thank you very much.  For sure it helps.

If I want to use static VTI for a IPSec VPN tunnel between 2 router, but 1 of my router use public static address and the other not (DSL connections)

I wont be able to pu the tunnel destination command.  How should I configure it?

Thanks again

Silver

Re: Tunnel Interface instead of crypto map

Here's an example of using Easy VPN with IPSEC DVTIs.  The remote router gets its outside address via DHCP.  HTH

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.pdf

New Member

Re: Tunnel Interface instead of crypto map

If I do not want to use Easy VPN.  Can I do it with static VTI.  Or should I switch to Crypto-map ?

Thank you very much for your help.

Silver

Re: Tunnel Interface instead of crypto map

Here are some other examples of using static and dynamic VTI's.

http://www.cisco.com/en/US/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_xe.pdf

You could also use DMVPN, which in this example shows a spoke site using DHCP to assign its outside address.

http://www.cisco.com/application/pdf/paws/41940/dmvpn.pdf

HTH

New Member

Re: Tunnel Interface instead of crypto map

We already have a DMVPN configuration in our 300 spokes.  It's a Single cloud dual hub

DMVPN network.  We need to create a separate VPN network infrastructure with those 300

spokes but linked trough 2 remote HQ site.  Those 2 remote site have public static IP, but our spokes use dynamic adressing.

I need something simple.  I check out your examples, but only Easy VPN talks about unknown remote IPs

Here's my concern.

I'll probably use crypto map instead VTI.  What do you think ?

Silver

Re: Tunnel Interface instead of crypto map

What do you see is the advantage of crypto maps over Easy VPN?

If your spoke IP addresses are assigned dynamically, you could use dynamic crypto maps on your hub site, as in this example, but with this legacy setup you lose flexibility.  Avoiding crypto maps reduces problems with the management of a large number of VPN tunnels to your hub site.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

New Member

Re: Tunnel Interface instead of crypto map

I know I'll lose flexibility, but our old network works like this, we troubleshoot it for a couple of years.  We know what kind of issue it will probably have.  But not with Easy VPN.  I never used it.

But you convinced me to take a look at Easy VPN.

New Member

Re: Tunnel Interface instead of crypto map

which solution has the lower CPU and Memory consumable ? (Easy VPN or Dynamic Crypto map)

Thanks again

Silver

Re: Tunnel Interface instead of crypto map

I understand your reluctance to go to an unfamiliar technology, but I think it is worthwhile to consider Easy VPN unless you are connecting to remote sites that do not have Cisco devices.

Assuming all of your sites use Cisco VPN devices, one problem you may have encountered is that clearing the IPSEC SA's for a specific VPN tunnel does not work.  The only remedy is to remove and replace the crypto map, which impacts all of your other sites.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10

With regards to your question about performance, Easy VPN is a new technology, aimed at improving performance for your applications.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html

New Member

Re: Tunnel Interface instead of crypto map

"We already have a DMVPN configuration in our 300 spokes.  It's a Single cloud dual hub

DMVPN network.  We need to create a separate VPN network infrastructure with those 300

spokes but linked trough 2 remote HQ site.  Those 2 remote site have public static IP, but our spokes use dynamic adressing."

I didnt quite understand why you need seperate VPN infrastructure ? Personally i dont like using routers as endpoints in easy vpn but thats just me :-). If you can explain why you want to divert from your DMVPN setup or why cant you have dedicated P2P tunnels for 2 sites running NHRP thus solving your problem of dynamic IPs !!

New Member

Re: Tunnel Interface instead of crypto map

The main reason is for a specific purpose we can't route this traffic by our hub

infrastructure at all.  We use a phase 2, spoke-to-spoke DMVPN setup.

So we know the first packet will go through the path "spoke-hub-spoke" while the spoke-to-spoke dynamic tunnel commes up.  We also don't want those router to be hub (answer to NHRP request)

If you have a DMVPN setup that routes the packets directly to those router without considering them as hubs I'll be happy.

Thanks a lot

Silver

Re: Tunnel Interface instead of crypto map

Have you looked at the phase 3 enhancements to DMVPN?  Spoke-to-spoke traffic does not go through the hub.  HTH

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html

1732
Views
6
Helpful
13
Replies