You need an affordable solution to connect multiple locations with dynamic IPs to a central VPN server.
FlexVPN/DMVPN would solve this but central IOS routers cost plenty of money and offer only a limited HA solution. You would need a HSEC license if you want to go for over 85Mbit and 225 tunnels. Also firewall management via CLI is a mess.
If you have dynamic IPs (e.g. with 4G) and don't want to go for certificates, you have to use PSK. The downside is that every PSK has to be the same via DefaultL2LGroup. To avoid this, we create IKEv2 tunnel groups and set the isakmp ID on the clients to the name of the tunnel group.
The ASA (esp. 5515-X) is quite affordable, handling multiple tunnels with high throughput. Also it offers really good HA with Active/Standby failover including stateful IPSEC failover. On the downside it doesn't support FlexVPN, so the config part on the routers is quite big.
On the client side we use 880 Branch Routers which support all needed features.
On the ASA we configure the following (only crypto parts)
Specify the subnets:
access-list outside_cryptomap extended permit ip object OUR-NET object CLIENT-NET
I am trying to have ISE ( v2.4 ) auto-enroll itself via SCEP to receive device certs from an external SCEP server ( LINUX ).however i am not seeing the 'crypto pki trustpoint' command on the ISE server via which i am to configure / request for cert via th...
Hi Guys, anybody here knows what is the use of the command below in the switches? aaa accounting identity start-stop group radius? I searched over the internet but it have only minimal information. Thanks for the help.
Dear Cisco ISE Community,
I’m looking for a suggestion, or a best practice, to effectively combine the redirection to ISE Captive Portal with the usage of a web proxy, on a non-standard port.
Are you aware of any indication on this topic?
Hi experts,I would like any suggestions on this topology. We are is the middle of replacing our old ASA5520 with the new FirePower. Our current firewall terminate our IPsec tunnels and the GRE is terminated on the first inside router's loopback on the sec...
Working on an IBNS 2.0 setup and I have the VLAN ID being sent to ISE. I added the following command to the switch to get the VLAN information to show up in the authentication request:
mab request format attribute 32 vlan access-vlan