Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
711
Views
0
Helpful
4
Replies

migrate from static ipsec connections to GRE IPsec connections

bymc
Level 1
Level 1

‎12-21-2015 10:47 AM - edited ‎02-21-2020 08:35 PM

I am working on transitioning from static IPSEC connections  to GRE with IPSEC connections

we are also working to replace a 2821 router At our to be implemented DMVPN HUB site with an ASR1000 type router. The ASR does not support ted transform-set which we are presently using.

is there a way to not encrypt the traffic between specific router to router connections while encrypting all other router to router connections.

I am trying to come up with a transition plan that will not take any sites offline to transition from static connections to DMVPN tunneling.

Byron

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎12-21-2015 11:06 AM

Use two DMVPN tunnels - one for encrypted traffic, and one not using encrypted traffic (for example, Tunnel10 and Tunnel100).  Only apply the "tunnel ipsec profile" command to the tunnel that needs encryption.

Make sure you use different tunnel keys on each tunnel to help the router tell them apart.

0 Helpful

bymc
Level 1
Level 1
In response to Philip D'Ath

‎12-21-2015 12:24 PM

The problem is the new hub router (ASR1000) does not support the IPSEC transform-set used on the routers in use now.

I was wondering if there is a way to not use encryption between the new ASR router and the legacy routers only using the present IPsec route-map ACL .

I do not have the option of removing  IPSEC  encryption from the present routers outside interface.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to bymc

‎12-21-2015 12:33 PM

Can you install both the old and new routers at the same time and migrate the tunnels across?

Failing that, you are going to have to migrate to a supported transform set first.  On the head end you can do something like:

crypto ipsec profile spokes
  set transform-set <original transform> <new transform>

Or if you are using crypto maps:

crypto map cm-cryptomap 110 ipsec-isakmp

  set transform-set <original transform> <new transform>

So list both the old and new transforms.  This allows clients to negotiate the use of either.  Then start updating all the spokes to use the new transform.  Once they are all updated, put the new ASR in.

0 Helpful

bymc
Level 1
Level 1
In response to Philip D'Ath

‎12-21-2015 12:59 PM

I can try and migrate to a supported transform set first

I will try it in a test bed and let you know how it goes.

but this idea sound very doable.

Thanks

Byron

0 Helpful
Customers Also Viewed These Support Documents