08-12-2017 08:23 PM - edited 02-21-2020 09:24 PM
Dear Guys,
I have 03 router are running DMVPN (01 hub & 02 spokes).
Now on Spoke 2, I want to create IPSec VPN to another Router.
Is this possible ?
Anyone please share your experience & config if possible.
Thank you in advance.
08-13-2017 02:46 AM
Yes you can. You would need to create an sVTI on Spoke 2 E.g
interface Tunnel1
ip unnumbered Loopback1
tunnel source GigabitEthernet X/X
tunnel destination<OTHER ROUTER'S IP>
tunnel protection ipsec profile default
If you using PSK you'll need to define a PSK
crypto isakmp key Cisco1234 address <OTHER ROUTER'S IP>
On the other router you'll create another sVTI just with Spoke 2's public ip address as the destination.
You would either need to define a static route - pointing to the Tunnel interface (Tu1) or just run a routing protocol.
HTH
08-13-2017 03:00 PM
You can configure:
Normal site to site tunnel aka legacy crypto map.
Svti as rob mentioned.
Use isakmp profiles to keep it clean. You will match the identity of the peer. And apply the profile under the crypto map or ipsec profile.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: