Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1881
Views
0
Helpful
4
Replies

What are impacts of adding many subnets to crypto map ACL for Site-to-site VPN?

Go to solution
Tats0611
Level 1
Level 1

‎05-23-2019 05:21 AM

Hi everyone,

 

I would like to know what would be the impacts of adding many subnets to crypto map ACLs for Site-to-site VPN.

 

Currently HQ and new branch office is connected with IPsec site-to-site VPN over internet.

I would like New branch to have access to other branch offices through HQ.

 

I know it would work if I added the branch offices subnets to the current crypto map ACLs but I do not know the impact of adding many subnets to a crypto map ACL to route traffic over site-to-site VPN.

 

the number of subnets that I would like to add is about 20 subnets.

 

I am hoping stability and performance will be same as current Site-to-site VPN setting.

 

Can anyone please tell me your thoughts?

 

I attached a diagram that is simple and small version of what I want to do.

 

Best regards,

Tats

 

 

Labels:
Preview file
84 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GRANT3779
Spotlight
Spotlight

‎05-23-2019 06:07 AM

There is no real impact as such. You would need to ensure matching encryption domain at each end.

It is when you start having large encryption domain with specific ports / source / destinations etc.. that it sometimes becomes more efficient to allow IP between subnets in the encryption domain and then lock it down with a VPN-Filter.

Are you running an ASA as your 2 VPN endpoints? If so, you could look at using VTI tunnel, route based VPN rather than the current policy based VPN. You would then lose the Crypto ACL altogether.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Lyle Erding
Level 4
Level 4

‎05-23-2019 05:39 AM

Have you considered using DMVPN as an alternative. That way you could treat it as routed traffic and have it participate in OSPF with your other locaitons. You could choose to run the tunnel in gre multi-point to allow spoke-to-spoke communications if you add other VPN branches in the future or leave it as point-to-point to force all traffic back through the hub. If you add other locations in the future there wouldn't be any need to change the configuration on the HQ hub, only add the needed configuration on the new branch router that you deploy.

0 Helpful

Go to solution
Tats0611
Level 1
Level 1
In response to Lyle Erding

‎05-23-2019 06:32 AM

Hi Lyle,

 

Thanks for your reply.

 

No we have not considered DMVPN as I am quite new to network stuff and do not know much about DMVPN. Also we are using Meraki MX68 at NewBranch and I saw MX68 only support ikev1 IPsec VPN only with non-Meraki device in a documentation.

 

But your suggestion sounds nice and clean if we would open other new branches in the future.

 

Thanks,

Tats

 

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight

‎05-23-2019 06:07 AM

There is no real impact as such. You would need to ensure matching encryption domain at each end.

It is when you start having large encryption domain with specific ports / source / destinations etc.. that it sometimes becomes more efficient to allow IP between subnets in the encryption domain and then lock it down with a VPN-Filter.

Are you running an ASA as your 2 VPN endpoints? If so, you could look at using VTI tunnel, route based VPN rather than the current policy based VPN. You would then lose the Crypto ACL altogether.
0 Helpful

Go to solution
Tats0611
Level 1
Level 1
In response to GRANT3779

‎05-23-2019 07:22 AM

Hi GRANT3779,

 

Thanks for your reply.

 

That is good to hear that there is no real impact.

I am running an ASA at HQ and Meraki MX68 at NewBranch. Basically ikev1 IPsec vpn is the only choice.

 

Thanks,

Tats

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card