cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
359
Views
5
Helpful
3
Replies

Create IPSEC on same Interface/Public IP as where DMVPN is working

Hassan Hameed
Beginner
Beginner

Dear Team,

 

As all of my sites are connected via DMVPN with HUB but now i need to move one site from DMVPN to IPSEC due to technology enhancement, So I need to know as my HUB router has single interface and one public IP address where DMVPN is working. Can I create IPSEC on same interface and public IP of my HUB router where DMVPN is working?

 

Thanks 

3 Replies 3

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/47541-dmvpn-ezvpn-isakmp.html

I think it can be done by using two IPSec 

one profile under DMVPN tunnel interface
other dynamic under interface "connect to ISP"

As i don't have any IPsec profile called on my dmvpn tunnel interface. So if I simply create ipsec profile/crypto map for my new site and call it on router same interface so according to your provided answer it will not make any problem right?

 

E.g.

For Other Sites

interface Tunnel0 
!--- No crypto map or IPsec profile called on this DMVPN Tunnel interface
tunnel source FastEthernet 0/0

For Site where DMVPN will be removed and only Ipsec will be used between cisco and some other brand firewall

interface FastEthernet0/0
crypto map dynmap !----- IPsec profile called on physical interface

 

I do Lab and test dynamic and DMVPN without IPSec it work good, BUT dmvpn without IPSec is risky.
also do lab from your side and check.
note:-
1-dynamic-map ipsec make only spoke initiate traffic toward spoke.
2- set peer for ipsec in spoke is config with public ip of Hub.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers