My company has asked me recently to work on setting on DMVPN(spokeTospoke). Let me explain my office topology. I have three locations where i have a router on each locations over which i need to setup dmvpn. Each locations have internet connected to ASA. ASA inside interface is then connected to DMVPN router.
DMVPN require loopback interface to reachable over internet that i can do setting up IPSec vpn on ASA to reach loopbacks on DMVPN router.
But i am a bit confused how to configure spoketospoke DMVPN. Could you pls post config example that make me clear in setting up DMVPN(using ospf). If you could take me out to this config obstacles that would be highly appreciated.
If you have only 3 sites and all have static public IP-addresses, I would suggest to configure full mesh of p2p IPSec VTI.
For general DMVPN configuration you may refer to http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html
Regarding OSPF - you may use it with network type Broadcast.
Thanks Vasilii... since we will be adding more sites after successful completetion of DMVPN on three sites so we have to implement DMVPN.
Also in shared link DMVPN configuration is done in router having one interface to public network and IPSec is running on router. But in my scenario router will have DMVPN configuration and ASA will be runnin IPSec config part.
Pls share config example as per my case(You can leave IPSec config part of ASA which i will take care).
DMVPN is mGRE with IPSec. Sure, you may separate mGRE and IPSec (terminate IPSec on ASA).
But I'm not sure if it's possible to dynamically build IPSec between ASAs and how scalable the solution would be.
Please let me know why don't you want to run IPSec on the routers?
PS: mGRE has the same configuration as in DMVPN example, but without "tunnel protection ipsec..." statement and without all the rest "crypto..." parts.
PS2: in DMVPN spoke-2-spoke configuration is implicit (if you run phase 2 or 3).
Hi.. I think router is not much secure device as ASA. Also putting one interface of router on public network and another on local network cause LAN o be on risk.
Since i have ASA so i am seeing to use it for IPSec config.
There is no need to have router's interface to be unprotected, you may inspect ipsec traffic from your routers on ASA, dropping all the rest traffic.
Anyway, I would be interested to see ASA configuration that would allow you to offload IPSec (as far as I know ASA doesn't support GETVPN).
DMVPN can only be properly hosted on a router. Splitting it off to an ASA would likely not be supported and only make things more complicated.
If you want to add a layer of security, you can pass the traffic through the ASA before sending it to your local network.
I am too not clear about this so did put these scenario infront of you experts to consider. Is GRE over IPSec tunnel different from DMVPN tunnel. Because GRE over IPSec tunnel can be configured on router and having IPSec config on ASA.
Since i am new to DMVPN i also want to be cleal before configuring this.
You don't need to configure Loopback for DMVPN.
Really not reason to separate it and likely to cause issues with your DMVPN setup.