Solved: Re: ipsec and DMVPN

R Manjunatha · ‎10-17-2022

HI,

I would like to know how DMVPN is secure in Public could since IPsec provides data confidentiality, integrity, and authentication between participating peers at the IP layer,

paul driver · ‎10-17-2022

Hello

@R Manjunatha wrote:

This is how DMVPN over IPsec configuration on the tunnel interface.

but my question is whether DMVPN is secure over the public network or not

Only what should be reachable via the internet is the NBMA public addressing used for the NHRP mappings and creation of the dynamic DMVPN tunnels, All user traffic will be then routed over those ipsec encrypted tunnels as such will be secure.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Joseph W. Doherty · ‎10-17-2022

DMVPN uses IPSec.

R Manjunatha · ‎10-17-2022

This is how DMVPN over IPsec configuration on the tunnel interface.

but my question is whether DMVPN is secure over the public network or not.

crypto isakmp policy 1




encr 3des

hash md5

authentication pre-share

group 2

lifetime 86400

!

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set abc esp-3des esp-md5-hmac

!

crypto ipsec profile gre_protection

set security-association lifetime seconds 86400

set transform-set abc

!

interface Tunnel 0

tunnel protection ipsec profile gre_protection

Joseph W. Doherty · ‎10-17-2022

"but my question is whether DMVPN is secure over the public network or not."

That depends on how secure you consider the encryption options being used.

Now, in part of what you've posed, i.e. "encr 3des, hash md5, group 2 and lifetime 86400", triple DES is no longer considered very secure. Other options are "more secure", including some possibly not invoked at all, like PFS.

To further secure something like DMVPN, you might also further harden the devices and/or their Internet facing interfaces. For example, when I configure a VPN router, I often block all traffic on the Internet facing interface to the VPN tunnel traffic and possible place that external interface into a VRF that knows nothing about my internal topology.

Actually, transit traffic crossing the Internet isn't all that easy to intercept, unless you have access to a transit device. More likely attackers will go after the devices hosting the VPN.

paul driver · ‎10-17-2022

Hello

@R Manjunatha wrote:

This is how DMVPN over IPsec configuration on the tunnel interface.

but my question is whether DMVPN is secure over the public network or not

Only what should be reachable via the internet is the NBMA public addressing used for the NHRP mappings and creation of the dynamic DMVPN tunnels, All user traffic will be then routed over those ipsec encrypted tunnels as such will be secure.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎10-17-2022

simply all original packet encapsulate inside IPSec header (IP) and hence it protect in way from source to destination.

MHM Cisco World · ‎10-17-2022

DMVPN like IPSec but with addition of GRE which make multicast traffic (include routing packet) exchange between two peer.