So I inherited an ipsec DMVPN config from the previous person in my position and it has a different configuration than I'm used to seeing. However I'm far from that experienced configuring ipsec on routers.
However, the config that I see that seems to be best practice would look something like:
--------------------------------------------
crypto isakmp policy 1
authentication pre-share
encryption ae 256
hash sha256
crypto isakmp key ciscokey address 0.0.0.0 0.0.0.0
!
crypto IPsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto IPsec profile vpnprof
set transform-set trans2
------------------------------------------------
Now the config that I inherited is more like this
-----------------------------------------------------------------
crypto ikev2 keyring KEYRING
peer Next-Hop
identity address 0.0.0.0
pre-shared-key local 6 c\DQCHU]PDbPXEYVXJKFDJSLF9808FDLLJL
pre-shared-key remote 6 ]NPfeGHHfZEVT^BA]_O[hQhFD435464FGFGF
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
dpd 30 5 periodic
!
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN-21
set transform-set TRANSFORM
set ikev2-profile IKEV2-PROFILE
-----------------------------------------------------------------
I don't see any cisco guides exactly suggestion to go with the way we have it, and I'm not really sure what the pros and cons are of each. Anyone have any ideas or can point me in the right direction?
No comments:
Post a Comment