Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
2
Replies

VPN-Clientaccess to DMVPN-Spoke possible?

Go to solution
Andreas Wittemann
Level 1
Level 1

‎03-14-2017 05:02 PM - edited ‎03-05-2019 08:11 AM

Hello community,

i am aware it is possible to use the VPN-client to access the DMVPN-hub and therefore the companynetwork.

My problem is, this is not an option, before the migration to DMVPN at a customers network some users (unexpected!) still were using the VPN-client on macs and iphones and ipads, to access the branch in their own country. Routing packets around the planet makes not much sense because of the huuuuge RTTs...

Has someone an idea how to configure a spoke to work as VPN-server again? According to the debugs the problem is the XAUTH on phase 1...i tried around with examples who achieved this functionality on the hub, with profiles and keyrings, but i couldn't get it working.

I want to avoid rolling back the DMVPN on one of the routercouples in the locations which still need that.

Any help very appreciated, many thanks in advance,

Andreas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-14-2017 11:25 PM

The easiest option by far is to use AnyConnect.  Keep IPSEC for DMVPN and SSL for user to site VPN.

Failing that then use you can use both DMVPN and user to site IPSec VPN at the same time.  You just need to be careful about your match criteria.

For example if you use a pre-shared key and a wildcard to match the DMVPN connections you are going to have grief.  If you use certificate based authentication for DMVPN then that match will be unique compared to the user to site IPSec VPN.

Also I would not use an old style dynamic map.  I would use a new style VTI interface for the inbound user to site VPN connections.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-14-2017 11:25 PM

The easiest option by far is to use AnyConnect.  Keep IPSEC for DMVPN and SSL for user to site VPN.

Failing that then use you can use both DMVPN and user to site IPSec VPN at the same time.  You just need to be careful about your match criteria.

For example if you use a pre-shared key and a wildcard to match the DMVPN connections you are going to have grief.  If you use certificate based authentication for DMVPN then that match will be unique compared to the user to site IPSec VPN.

Also I would not use an old style dynamic map.  I would use a new style VTI interface for the inbound user to site VPN connections.

0 Helpful

Go to solution
Andreas Wittemann
Level 1
Level 1
In response to Philip D'Ath

‎03-23-2017 07:37 AM

Hi Philip,

thanks for your input, and sorry i rated just right now.

Finally we went to use SSL-VPN over Sophos at that customer, which was planned anyways in two months...so problem is solved^^

Kind regards,

Andreas

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card