Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
961
Views
20
Helpful
4
Replies

Best Virtual Tunnel Concentrater Device?

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎05-15-2020 08:55 AM

Wondering what anyone could recommend if you needed a Virtual/VM appliance like a CSR1000v or something that you really only want to configure as a IPSEC hub device. Looking for some help.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-15-2020 09:05 AM

Hi,
As you suggested, I'd go with a CSR1000v. An IOS/IOS-XE supports more types of IPSec VPN than an ASA does, which in turn supports more than an FTD (currently). Cisco considers crypto map legacy and recommends using VTIs, routers support the widest range of VPN topologies.

ASA only supports a static VTI and crypto maps and the FTD only supports crypto maps, static VTIs are coming in FTD 6.7.
IOS/IOS-XE routers supports Crypto Map, GETVPN, DMVPN and FlexVPN (Dynamic and Static VTI).

However if you want a Remote Access SSL-VPN solution, then probably ASA or FTD is a better choice than an IOS/IOS-XE router.

HTH

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎05-20-2020 12:29 AM

Hi,
It depends on the number of tunnels to be supported and required IPSec throughtput.
Determine your requirements and then spec from there, but you could use the ISR 1000 or 4000 series routers or for a large deployment ASR 1000 routers.

HTH

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎05-15-2020 09:05 AM

Hi,
As you suggested, I'd go with a CSR1000v. An IOS/IOS-XE supports more types of IPSec VPN than an ASA does, which in turn supports more than an FTD (currently). Cisco considers crypto map legacy and recommends using VTIs, routers support the widest range of VPN topologies.

ASA only supports a static VTI and crypto maps and the FTD only supports crypto maps, static VTIs are coming in FTD 6.7.
IOS/IOS-XE routers supports Crypto Map, GETVPN, DMVPN and FlexVPN (Dynamic and Static VTI).

However if you want a Remote Access SSL-VPN solution, then probably ASA or FTD is a better choice than an IOS/IOS-XE router.

HTH

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎05-19-2020 04:51 PM

Great thanks! What about if you decided to go with a physical device? What comes to mind?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎05-20-2020 12:29 AM

Hi,
It depends on the number of tunnels to be supported and required IPSec throughtput.
Determine your requirements and then spec from there, but you could use the ISR 1000 or 4000 series routers or for a large deployment ASR 1000 routers.

HTH

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎05-20-2020 09:01 AM

Right, I would say the device must be able to support couple hundred plus tunnels at least.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents