Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
60
Helpful
5
Replies

encrypted gre tunnels migration to vti hub and spoke

DraganSkundric87318
Level 1
Level 1

‎03-03-2022 11:28 AM

hi,

 

I have to migrate spoke to hub gre tunnel based network to ikev2 vti tunnels. So right now I am using gre tunnels and in crypto map I have gre traffic as criteria for encryption. Since I cannot have at the same time crypto map on physical interface and ipcec protection profiles on hub I need some kind of hybrid model on hub part so I could migrate in some steps. I've found this document that desribes migration, but not gre tunnel scenario

 

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html

 

any ideas?

 

br

 

 

Labels:
5 Replies 5

Rob Ingram
VIP
VIP

‎03-03-2022 11:45 AM

@DraganSkundric87318 how many VPNs do you have to migrate? Are you able to migrate all the VPNs at the same time?

DraganSkundric87318
Level 1
Level 1
In response to Rob Ingram

‎03-03-2022 12:03 PM

well, few hundered .... so I am investigation some kind of partial/hybrid solution. All at once is last option. So far idea is to make new loopback interface on hub that would be source for new VTIs. That way I could make notalatonce migration .... prepare new tunnels on hub with loopback as source ... change tunnel config on spoke and voila. Have to test this

Rob Ingram
VIP
VIP
In response to DraganSkundric87318

‎03-03-2022 12:10 PM

@DraganSkundric87318 OK understood, not a simple migration. Yes, a loop back might be feasible, I've not tested it myself though. Please test and provide feedback on whether it's viable.

 

Do you have spare hardware you can setup as a new hub? That would be cleaner and less chance of an issue

DraganSkundric87318
Level 1
Level 1
In response to Rob Ingram

‎03-08-2022 10:16 AM

hi,

 

just to update ... new setup with ikev2 VTI and old setup with ikev1 crypto map works ok on the same interface on HUB. No need to use loopback as new source interface. In my present setup crypto map handles gre traffic, and since VTIs a not GRE they are not handled by crypto map and so far looks ok, I can have old and new setup in paralel and migrade in steps.

 

br

Customers Also Viewed These Support Documents