cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

141
Views
0
Helpful
4
Replies
Highlighted
Beginner

migrate from static ipsec connections to GRE IPsec connections

I am working on transitioning from static IPSEC connections  to GRE with IPSEC connections

we are also working to replace a 2821 router At our to be implemented DMVPN HUB site with an ASR1000 type router. The ASR does not support ted transform-set which we are presently using.

is there a way to not encrypt the traffic between specific router to router connections while encrypting all other router to router connections.

I am trying to come up with a transition plan that will not take any sites offline to transition from static connections to DMVPN tunneling.

Byron

4 REPLIES 4
VIP Advisor

Use two DMVPN tunnels - one

Use two DMVPN tunnels - one for encrypted traffic, and one not using encrypted traffic (for example, Tunnel10 and Tunnel100).  Only apply the "tunnel ipsec profile" command to the tunnel that needs encryption.

Make sure you use different tunnel keys on each tunnel to help the router tell them apart.

Beginner

The problem is the new hub

The problem is the new hub router (ASR1000) does not support the IPSEC transform-set used on the routers in use now.

I was wondering if there is a way to not use encryption between the new ASR router and the legacy routers only using the present IPsec route-map ACL .

I do not have the option of removing  IPSEC  encryption from the present routers outside interface.

VIP Advisor

Can you install both the old

Can you install both the old and new routers at the same time and migrate the tunnels across?

Failing that, you are going to have to migrate to a supported transform set first.  On the head end you can do something like:

crypto ipsec profile spokes
  set transform-set <original transform> <new transform>

Or if you are using crypto maps:

crypto map cm-cryptomap 110 ipsec-isakmp

  set transform-set <original transform> <new transform>

So list both the old and new transforms.  This allows clients to negotiate the use of either.  Then start updating all the spokes to use the new transform.  Once they are all updated, put the new ASR in.

Beginner

I can try and migrate to a

I can try and migrate to a supported transform set first

I will try it in a test bed and let you know how it goes.

but this idea sound very doable.

Thanks

Byron