Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
5
Helpful
2
Replies

DMVPN - Spokes with different IPsec encryption

Alexander Rumpf-Luijten
Level 1
Level 1

‎11-11-2010 02:16 PM - edited ‎03-04-2019 10:26 AM

  1. Is it possible to configure on the Hub different IPsec encryptions for different Spokes or must all Spokes configure with the same IPsec encryption?
  2. If on two Spokes different IPsec encryptions are configured, can the build a Spoke-to Spoke VPN tunnel with IPsec or is the traffic going over the Hub?
Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-12-2010 09:06 AM

Hello Alexander,

1)

see

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp93772

>>There must be at least one matching ISAKMP policy between two potential crypto peers

the ISAKMP policy may contain multiple clauses that are attempted in order,  but to build the ISAKMP security association a match is needed, policy sequence number is not important (it doesn't need to match)

2)

as explained above if no agreement is found between the two spokes the spoke to spoke tunnel will not be able to be established.

But because routing information travels only on spoke to hub tunnels with next-hop referring to other spoke (phase 2), you may experience black holing of traffic between the two spokes!

I'm afraid no fallback to hub is possible at least in DMVPN phase 2.

I would say real world implementations use the same encyption methods in a given cloud and PKI to distribute certificates for scalable and secure negotiation.

Hope to help

Giuseppe

Peter Paluch
Cisco Employee
Cisco Employee
In response to Giuseppe Larosa

‎11-12-2010 11:17 AM

Hello Giuseppe,

I have enjoyed reading your answer very much.

I'm afraid no fallback to hub is possible at least in DMVPN phase 2.

As far as I know - and please correct me if I am wrong as I have not worked with DMVPN solutions extensively - even in DMVPN phase 2, if a translation for another spoke is not currently found in local NHRP cache, the local spoke will send the packet to the hub router. But frankly, that cannot be considered a fallback.

If spoke routers used p2p GRE tunnels then the traffic would always go through the hub router - but that would nullify one of the major advantages of the DMVPN.

I would say real world implementations use the same encyption methods in
 a given cloud and PKI to distribute certificates for scalable and 
secure negotiation.

Absolutely agree. And also, if necessary, each router can be preconfigured with a set of ISAKMP and IPsec policies to be able to cooperate with both better and less capable neighbors.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card