You need an affordable solution to connect multiple locations with dynamic IPs to a central VPN server.
FlexVPN/DMVPN would solve this but central IOS routers cost plenty of money and offer only a limited HA solution. You would need a HSEC license if you want to go for over 85Mbit and 225 tunnels. Also firewall management via CLI is a mess.
If you have dynamic IPs (e.g. with 4G) and don't want to go for certificates, you have to use PSK. The downside is that every PSK has to be the same via DefaultL2LGroup. To avoid this, we create IKEv2 tunnel groups and set the isakmp ID on the clients to the name of the tunnel group.
The ASA (esp. 5515-X) is quite affordable, handling multiple tunnels with high throughput. Also it offers really good HA with Active/Standby failover including stateful IPSEC failover. On the downside it doesn't support FlexVPN, so the config part on the routers is quite big.
On the client side we use 880 Branch Routers which support all needed features.
On the ASA we configure the following (only crypto parts)
Specify the subnets:
access-list outside_cryptomap extended permit ip object OUR-NET object CLIENT-NET
got redirected here from ISE-PM forum.
Do we have any information/documentation on what ISE versions are compatible with the newly released software versions: iOS 13.x and Android 10.x?
Any input will be highly appreciated.
Hi all, We have problems to change hour my device. We try put command npt in conf t but it´s not permited. And command clock also isn´t permited.Device is ASA5585-SSP-10 and him version is Software Version 9.6(3)9. This ASA have two co...
Hi, Recently we had a problem with an ASA installed on a Firepower Appliance.When deploying the firewall changes within Security Manager we received the message "Deployment failed due to an internal error in plugin com.cisco.nm.vms.provision.px...
Hi all,I'm not that experienced with all the Group Policies, Tunnel-Groups and Crypto-maps yet, but i'm trying to learn. In this case, i wanted to make a new IKEv2 IPsec Site-2-Site tunnel. I've created the NAT Exempt, the Phase 1 and 2 Policies but as so...