Licensing Requirements and Limitations for DSVPN

Involved Network Elements

None

License Requirements

DSVPN is a basic feature of a device and is not under license control.

Version Requirements

Feature Limitations

• In a dual-node hot standby scenario, DSVPN cannot ensure uninterrupted services though it can be used. This is because NHRP does not perform hot backup of entries between dual nodes. That is, tunnel backup is not performed. The method of using DSVPN in this scenario is similar to that in a dual-hub scenario.

  If IPSec protection is added to DSVPN, the Spoke needs to perform NHRP registration with the standby Hub again during an active/standby Hub switchover. This is because IPSec supports dual-node hot standby by default and does not detect the disconnection of an IPSec tunnel during an active/standby Hub switchover. This results in a failure to instruct the Spoke to perform NHRP registration again in real time, causing services to be interrupted for a long time. To solve this problem, configure the alone parameter when applying an IPSec policy to an interface.

• DSVPN cannot be used with virtual systems.
• When the DSVPN-enabled device connects to a third-party device, learning of DSVPN network device identity and ESN and route injection need to be disabled.
• When IPSec tunnels are deployed on the DSVPN network, rapidly updating the NHRP mapping table will cause IKE re-negotiation and may even interrupt services. Do not update the NHRP mapping table frequently.

• When DSVPN is deployed in hierarchical Hub networking, branches can learn routes from each other in shortcut mode only.

• When you deploy IPSec on a DSVPN network, the IPSec encapsulation mode can only be transport if two branches are connected to different NAT devices or the headquarters is connected to a NAT device.
• NAT traversal cannot be implemented on a DSVPN network if two Spokes use the same NAT device and their original addresses are translated to the same public network address.
• NAT traversal cannot be implemented if two Spokes are behind different NAT devices, and Port Address Translation (PAT) is enabled on the NAT device.
• The MEth interface does not support DSVPN.
• The NAT device must be configured with an NAT server. NAT traversal cannot be implemented if source NAT PAT is configured on the NAT device.
• DSVPN does not allow multiple mGRE interfaces to be configured with the same source address and source interface.
• The source IP address of an mGRE interface cannot be configured as a VRRP virtual IP address.
• If the source IP interface of an mGRE interface has been configured with a real IP address and a VRRP virtual IP address, only the real IP address of the interface can be used.