10-17-2022 06:46 AM
HI,
I would like to know how DMVPN is secure in Public could since IPsec provides data confidentiality, integrity, and authentication between participating peers at the IP layer,
Solved! Go to Solution.
10-17-2022 10:52 AM
Hello
@R Manjunatha wrote:
This is how DMVPN over IPsec configuration on the tunnel interface.
but my question is whether DMVPN is secure over the public network or not
Only what should be reachable via the internet is the NBMA public addressing used for the NHRP mappings and creation of the dynamic DMVPN tunnels, All user traffic will be then routed over those ipsec encrypted tunnels as such will be secure.
10-17-2022 07:04 AM
DMVPN uses IPSec.
10-17-2022 07:50 AM - last edited on 10-18-2022 10:17 AM by Translator
This is how DMVPN over IPsec configuration on the tunnel interface.
but my question is whether DMVPN is secure over the public network or not.
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set abc esp-3des esp-md5-hmac
!
crypto ipsec profile gre_protection
set security-association lifetime seconds 86400
set transform-set abc
!
interface Tunnel 0
tunnel protection ipsec profile gre_protection
10-17-2022 08:47 AM
"but my question is whether DMVPN is secure over the public network or not."
That depends on how secure you consider the encryption options being used.
Now, in part of what you've posed, i.e. "encr 3des, hash md5, group 2 and lifetime 86400", triple DES is no longer considered very secure. Other options are "more secure", including some possibly not invoked at all, like PFS.
To further secure something like DMVPN, you might also further harden the devices and/or their Internet facing interfaces. For example, when I configure a VPN router, I often block all traffic on the Internet facing interface to the VPN tunnel traffic and possible place that external interface into a VRF that knows nothing about my internal topology.
Actually, transit traffic crossing the Internet isn't all that easy to intercept, unless you have access to a transit device. More likely attackers will go after the devices hosting the VPN.
10-17-2022 10:52 AM
Hello
@R Manjunatha wrote:
This is how DMVPN over IPsec configuration on the tunnel interface.
but my question is whether DMVPN is secure over the public network or not
Only what should be reachable via the internet is the NBMA public addressing used for the NHRP mappings and creation of the dynamic DMVPN tunnels, All user traffic will be then routed over those ipsec encrypted tunnels as such will be secure.
10-17-2022 07:24 AM
simply all original packet encapsulate inside IPSec header (IP) and hence it protect in way from source to destination.
10-17-2022 07:56 AM
DMVPN like IPSec but with addition of GRE which make multicast traffic (include routing packet) exchange between two peer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide