Hi
We are currently running a bunch of DMVPNs (currently using PSK) into one of our DCs. This DC is about to close and we are migrating the DMVPNS over to our newer DC.
The problem i have is that in the new DC the head end is a 4000 series router and the site connecting is an old hat 877.
On the newer head end we use certs and 512 IPsec algorithm:
crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha512-hmac
mode transport
But the 877 does not support this, the max it will do is:
crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha-hmac
So the question .. Can I add esp-sha-hmac on to the end of my head end transform set so in theory it would look like the following:
crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha512-hmac esp-sha-hmac
and hopefully would allow the VPN to establish for routers using esp-sha512-hmac & esp-sha-hmac
In my head I should be able to do this as the inline help looks like it gives me that option but I've never implemented it before and im concerned it may drop all the other DMVPNs should i do this. We will be replacing the 877 with a newer model but with the DC closing at the end of august, needs must and we have to move as it is and I want a catch all policy incase there are other routers with the same issue.
Many Thanks
Paul C