04-18-2005 09:09 AM - edited 03-09-2019 10:59 AM
We are looking at rolling out DMVPN at a location that will need to keep static VPN's to customer sites where we don't manage the remote VPN server. Has anyone had success with running crypto profiles on the tunnel0 interface along with a crypto map on the physical interface (that happens to be the source interface for the virtual tunnel0 interface)? I can't find any sample code or verification on Cisco's website that profiles/maps can be run together.
Thanks,
Ron
04-18-2005 09:44 AM
Yeah, I have set up one last week. I create DMVPN to remote sites using IPSEC profiles, while use static crypto maps between hubs, Both run over the same ethernet interface which connects to the internet. To keep the tunnel up all time you can run EIGRP over it and that also helps in populating dynamic routes. Which traffic is encrypted over the static tunnel, is decided by the interesting traffic defined by the ACL applied to the crypto map.
As far as DMVPN is concerned, it does not interfere with static crypto maps. It brings up the tunnel (always up tunnel) using NHRP mappings and GRE tunnel. Once the tunnel is up, the routing protocol used will decide where to send the data. Any data that is routed through the tunnel interface is encrypted.
Hope that makes sense.
04-19-2005 07:00 AM
Thanks. I just wanted to be sure the tunnel0 interface running the profile wouldn't bump heads with crypto map on the physical interface. I've used DMVPN at three customer sites with no problems (using OSPF at two sites and EIGRP at one site). This will be the first time where DMVPN is going to be rolled out on a device that needs to keep static tunnels to partner sites that are using Checkpoints and NetScreen firewalls maintained by other IT staff.
I see now that since the multipoint GRE tunnels will encrypt based on routing protocol neighbors, and the crypto map will use the typical ACL, the traffic should be mutually exclusive. Since you tested fine in your scenario I now understand there is no problem with the dynamic isakmp key for DMVPN versus the static isakmp key for crypto map peers.
Thanks for the reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide