11-21-2024 09:05 AM
Hi,
we have a running dmvpn hub spoke environment with cert based authentication of the routers. So far, so good. Now some of the branch offices routers are also configured for cube functionality and for that to work we needed to install a public signed machine certificate. However, until then DMVPN used an internal signed cert, but now with 2 certificates and trustpoints, DMVPN always tries to authenticate to other spokes with the public signed cert and then DMVPN failes.
Is there an configuration that tells the DMVPN setup to use a specific cert then it tries to establish a VPN to another spoke?
we tried using cert map and match criteria in isakmp profile, but that did not work. it looks like this is only in use for incoming cert requests.
crypto isakmp profile DMVPN
ca trust-point issuing
ca trust-point root
match certificate certmap
crypto ipsec profile ipsec-profile-dmvpn
set isakmp-profile DMVPN
crypto pki certificate map certmap 10
issuer-name co ABC
11-21-2024 09:16 AM
11-21-2024 09:25 AM
Thanks for sharing your idea to this question. Unfortunatelly this example seems not to be helpful. We configured DMVPN that way and it working, until you have more than 1 available certificate on your router. in our case it picks the wrong cert all the time.
11-21-2024 09:30 AM
multi cert. in the Spokes or Hub ?
MHM
11-21-2024 10:05 AM
what do you mean by "multi cert"?
11-21-2024 10:59 PM
Hi Friend
the steps must done in below order ""this from link I share above""
the steps in brief you need to use identity for Authc DN and use isakmp profile and match cert. map and under this profile we use CA trust-point and finally we use isakmp profile in ipsec profile
BLDG42-RTR-VPN-01(config)#crypto pki certificate map CP-CERT-MAP 10
BLDG42-RTR-VPN-01(ca-certificate-map)# issuer-name eq CN=BLDG42-RTR-VPN-01.company.com O=COMPANY L=City ST=State C=US
BLDG42-RTR-VPN-01(config)#crypto isakmp policy 10
BLDG42-RTR-VPN-01(config-isakmp)# encr aes 256
BLDG42-RTR-VPN-01(config-isakmp)# hash sha256
BLDG42-RTR-VPN-01(config-isakmp)# group 14
BLDG42-RTR-VPN-01(config-isakmp)# lifetime 28800
BLDG42-RTR-VPN-01(config-isakmp)#crypto isakmp identity dn
BLDG42-RTR-VPN-01(config)#crypto isakmp profile cradlepoint-cert
BLDG42-RTR-VPN-01(conf-isa-prof)#ca trust-point CRADLEPOINTVPN.COMPANY.COM
BLDG42-RTR-VPN-01(conf-isa-prof)#match certificate CP-CERT-MAP
BLDG42-RTR-VPN-01(conf-isa-prof)#!
BLDG42-RTR-VPN-01(conf-isa-prof)#!
BLDG42-RTR-VPN-01(conf-isa-prof)#crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha256-hmac
BLDG42-RTR-VPN-01(cfg-crypto-trans)# mode tunnel
BLDG42-RTR-VPN-01(cfg-crypto-trans)#!
BLDG42-RTR-VPN-01(cfg-crypto-trans)#crypto ipsec profile DMVPN
BLDG42-RTR-VPN-01(ipsec-profile)# set transform-set ESP-AES-256-SHA
BLDG42-RTR-VPN-01(ipsec-profile)# set isakmp-profile cradlepoint-cert
12-09-2024 07:54 AM
This is not working. We now opened a TAC case. Let's see what happens
12-09-2024 07:59 AM
bad news,
do you config isakmp profiles? it the key point here
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide