You need an affordable solution to connect multiple locations with dynamic IPs to a central VPN server.
FlexVPN/DMVPN would solve this but central IOS routers cost plenty of money and offer only a limited HA solution. You would need a HSEC license if you want to go for over 85Mbit and 225 tunnels. Also firewall management via CLI is a mess.
If you have dynamic IPs (e.g. with 4G) and don't want to go for certificates, you have to use PSK. The downside is that every PSK has to be the same via DefaultL2LGroup. To avoid this, we create IKEv2 tunnel groups and set the isakmp ID on the clients to the name of the tunnel group.
The ASA (esp. 5515-X) is quite affordable, handling multiple tunnels with high throughput. Also it offers really good HA with Active/Standby failover including stateful IPSEC failover. On the downside it doesn't support FlexVPN, so the config part on the routers is quite big.
On the client side we use 880 Branch Routers which support all needed features.
On the ASA we configure the following (only crypto parts)
Specify the subnets:
access-list outside_cryptomap extended permit ip object OUR-NET object CLIENT-NET
Hi,After update to 12.1.0, https GUI cert was deleted. When I try to import it again get error "Certificate lifetime must not exceed 18250 days".AsyncOS v.11 worked correctly with the same certificate.Because of our company has Corporate Root CA until 207...
Server Version#: Version 184.108.40.2064Player Version#: Version 4.10.1 I have PMS installed on Debian Linux. I’m able to reach it when using <local_IP>:32400/web. I’m also able to see the server when I log into plex.tv. However, I’m having issues ...
Hi I hope you guys have already seens this. I am trying to assign a mac to a group (static assignement) and I get this:Unable to create the endpoint.Endpoint ZZ:ZZ:ZZ:ZZ:ZZ:ZZ already exists However when I search for the specifi...
Hi all , has anyone came across any cisco documentation on banner grabbing prevention ?example below from running zenmap with this command nmap -sV --script banner 10.0.0.59(truncated)5060/tcp open sip Tandberg-4137 VoIP server X12.5.15061/tcp ...
Hi guys,We don't want to use NSP or certificate during the single SSID BYOD On-boarding, we just want to let user register their device's MAC address and then authorization the VLAN based on user group.I found below discussion, but seems the screen copy i...