You need an affordable solution to connect multiple locations with dynamic IPs to a central VPN server.
FlexVPN/DMVPN would solve this but central IOS routers cost plenty of money and offer only a limited HA solution. You would need a HSEC license if you want to go for over 85Mbit and 225 tunnels. Also firewall management via CLI is a mess.
If you have dynamic IPs (e.g. with 4G) and don't want to go for certificates, you have to use PSK. The downside is that every PSK has to be the same via DefaultL2LGroup. To avoid this, we create IKEv2 tunnel groups and set the isakmp ID on the clients to the name of the tunnel group.
The ASA (esp. 5515-X) is quite affordable, handling multiple tunnels with high throughput. Also it offers really good HA with Active/Standby failover including stateful IPSEC failover. On the downside it doesn't support FlexVPN, so the config part on the routers is quite big.
On the client side we use 880 Branch Routers which support all needed features.
On the ASA we configure the following (only crypto parts)
Specify the subnets:
access-list outside_cryptomap extended permit ip object OUR-NET object CLIENT-NET
Hi, How we can setup rules on FMC to allow users to access social media sites like facebook.com and block access to public drives like onedrive and drop box. Is there any way FMC allow access on user group base through Active Directory (AD). How...
I am building an ISE lab cluster for testing BYOD. This setup will mirror our production cluster. The ISE deployment is 4 x Internal ISE servers (2 x PAN nodes PRI and SEC plus 2 x PSN nodes PRI and SEC) and 2 x DMZ ISE servers (PSN PRI and SEC...
Good afternoon, I'm experiencing a problem with my branch offices (with LANLite catalyst SW) when ISE (located on our DC) is not reachable due to a WAN failure. People on branch office cannot access local resources when the ISE is marked as dead from...
Hi community,Is there an API and code sample to connect to VPN from .Net app?The idea is to be able to connect to VPN from application and not to ask user to do so as credentials need to be stored from, this as a security request.Thanks in advance.
Hi.I would like to know if it is possible to implement ISE 2.2 on a WS-C2950G-48-EI,because it does not appear in the compatibility matrix of the respective version.https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#24274Reg...