Create IPSEC on same Interface/Public IP as where DMVPN is working

Hassan Hameed · ‎01-16-2022

Dear Team,

As all of my sites are connected via DMVPN with HUB but now i need to move one site from DMVPN to IPSEC due to technology enhancement, So I need to know as my HUB router has single interface and one public IP address where DMVPN is working. Can I create IPSEC on same interface and public IP of my HUB router where DMVPN is working?

Thanks

MHM Cisco World · ‎01-17-2022

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/47541-dmvpn-ezvpn-isakmp.html

I think it can be done by using two IPSec

one profile under DMVPN tunnel interface
other dynamic under interface "connect to ISP"

Hassan Hameed · ‎01-17-2022

As i don't have any IPsec profile called on my dmvpn tunnel interface. So if I simply create ipsec profile/crypto map for my new site and call it on router same interface so according to your provided answer it will not make any problem right?

E.g.

For Other Sites

interface Tunnel0 
!--- No crypto map or IPsec profile called on this DMVPN Tunnel interface
tunnel source FastEthernet 0/0

For Site where DMVPN will be removed and only Ipsec will be used between cisco and some other brand firewall

interface FastEthernet0/0
crypto map dynmap !----- IPsec profile called on physical interface

MHM Cisco World · ‎01-17-2022

I do Lab and test dynamic and DMVPN without IPSec it work good, BUT dmvpn without IPSec is risky.
also do lab from your side and check.
note:-
1-dynamic-map ipsec make only spoke initiate traffic toward spoke.
2- set peer for ipsec in spoke is config with public ip of Hub.