You need an affordable solution to connect multiple locations with dynamic IPs to a central VPN server.
FlexVPN/DMVPN would solve this but central IOS routers cost plenty of money and offer only a limited HA solution. You would need a HSEC license if you want to go for over 85Mbit and 225 tunnels. Also firewall management via CLI is a mess.
If you have dynamic IPs (e.g. with 4G) and don't want to go for certificates, you have to use PSK. The downside is that every PSK has to be the same via DefaultL2LGroup. To avoid this, we create IKEv2 tunnel groups and set the isakmp ID on the clients to the name of the tunnel group.
The ASA (esp. 5515-X) is quite affordable, handling multiple tunnels with high throughput. Also it offers really good HA with Active/Standby failover including stateful IPSEC failover. On the downside it doesn't support FlexVPN, so the config part on the routers is quite big.
On the client side we use 880 Branch Routers which support all needed features.
On the ASA we configure the following (only crypto parts)
Specify the subnets:
access-list outside_cryptomap extended permit ip object OUR-NET object CLIENT-NET
Hi All As title describe, i would like ask is it possible traffic passthry multiple IPSec seti-to-site VPN tunnel, where as control the traffic using routing. Attached the network topology as refernce. Or is there any other workaround to ac...
We have an ASA failover pair but they are in two locations. The failover link goes through two switches (one on each site). As the most likely reason for a failover would be a power outage on the site with the active ASA, I was wondering if the failover a...
Hi All Does anyone know if the Lancope Stealthwatch Customer Community is still up and running?I've been attempting to register but never receive a response (although I get the mail saying ill receive one in 72 hours) and theres no contact areas that...
Hi ,I would like to know MFA for networking devices (router and switches).I would like to control SSH login to cisco routers and switches with 2FA.Let me know ISE can handle this ?All router and switches model can support 2FA authentication for SSH and co...