03-05-2004 03:59 PM
I have a Hub and spok environement using pixes as vpn tunnel end points where I would be adding spokes dynamically. I cannot afford any downtime for the existing vpn tunnels. With Lan-to-Lan when ever I add new sites I have to reapply crypto map on the interface which will bring all my tunnels down.
I was thinking of using EZvpn in network exension mode to ovecome this problem.
When I add sites dynamically all I have to do is add new vpngroup with split tunnelling. I don't think I have to remove the crypto map on the interface and reaplly it back. Can anyone confirm
03-08-2004 12:54 PM
EazyVPN is perfect solution, but only if you have one subnet per site. I have implement PIX EazyVPN solution with about 30 PIXes 6.2.x (spokes). One in the center.
Possible problems:
EazyVPN can anounce only one proteced subnet, for dinamyc cryptomaps.
Central PIX do not allow spoke-to-spoke traffic to be routed trougt central PIX EazyVPN Server. This is PIX restriction by design. So i place IOS router to the center.
Half a year - no calls from the customer.
03-09-2004 01:37 PM
edited post..........
I think EzVPN is the best solution under your circumstances
"I have a Hub and spok environement using pixes as vpn tunnel end points where I would be adding spokes dynamically"
I was going to suggest using Dynamic Multipoint VPN, but I reread your post (you are running PIX's as tunnel endpoints)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide