Re: Using dual unique crypto keyrings between two different dmvpn hubs

dmooreami · ‎06-18-2020

we have two different company DMVN hubs (phase 3), that need to connect to provide connectivity".

Each company needs to preserve the crypto keyring and crypto isakmp profile on each Hub, to maintain connectivity with their existing "spokes".

What is the best practice to for CompanyB to add Company A's crypto keyring and isakamp profile to the config?

Can't seem to find anything that points how to do this.

Will adding another keyring and profile "disrupt" our existing keyring to CompB endpoints?

Running Cisco IOS 15 code, not IOS-XE code on CompB dmvpn hub.

yes we will be creating another "tunnel" on CompB router. Also ACL's will be used to limit routes passed between the two endpoints.

Deepak Kumar · ‎06-18-2020

Hi,

It depends on your configuration. But theoretically, it should not be.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

dmooreami · ‎06-18-2020

Lots of unknowns, how will it affect the existing setup? I don't see see how to add a second keyring to the config in any dmvpn docs. . Does it require re-doing the entire keyring setup?
I don't have a lab router to try on. Also have a Tac ticket opened up.
Thanks

Deepak Kumar · ‎06-18-2020

Hi,

I am considering that your design is look like this article: https://packetlife.net/blog/2012/jan/9/multiple-dmvpns-single-hub/

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

dmooreami · ‎06-18-2020

Yes, I have that 8yr old packet life link. But doesn't match our issue 100%. I think it's using Phase 2 not phase 3 due to many missing phase 3 statements in the configs.

I need for my two hub routers to allow connectivity between them, not keep things isolated.

My concern is about the existing connectivity for each multi point endpoint when crypto keyring statements are added.
Just wish this was a Phase 3 article and was 2 or 3 yrs old, not 8 yrs old.

Georg Pauwen · ‎06-18-2020

Hello,

I'll lab this up. So basically you have a phase 3 DMVPN and want to add a second keyring ? I assume that you using IKEv1 ?

dmooreami · ‎06-18-2020

here is what we have to add to Company B's 2951 router.

Rremoved the IP's and some other things.

===adding to CompanyB 2951 ====

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto ipsec transform-set ABC_DMVPN_Trans esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile ABC_DMVPN
set transform-set ABC_DMVPN_Trans

crypto keyring PublicVrf vrf dmvpn2
pre-shared-key address 0.0.0.0 0.0.0.0 key keyforCompanyA
interface Tunnel6000
description Internet IPSEC DMVPN
bandwidth 100000
ip address x.x.x.x 255.255.254.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip nhrp authentication xyzpdq
ip nhrp map multicast dynamic
ip nhrp map 1.1.1.1 2.2.1.1
ip nhrp map multicast X.X.x.x
ip nhrp map 1.1.2.1 2.2.2.2
ip nhrp map multicast x.x.x.x
ip nhrp map multicast X.x.x.x
ip nhrp map 1.1.3.1 2.2.3.1
ip nhrp network-id 60
ip nhrp holdtime 300
ip nhrp nhs x.x.x.x
ip nhrp nhs x.x.x.x
ip nhrp nhs x.x.x.x
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 1234
tunnel path-mtu-discovery
tunnel vrf dmvpn2
tunnel protection ipsec profile ABC_DMVPN shared

==============================

========Current CompanyB crypto and ipsec info=====

crypto keyring dmvpn1_keyring vrf dmvpn1
pre-shared-key address 0.0.0.0 0.0.0.0 key CompanyB-rtrkey

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp aggressive-mode disable
crypto isakmp profile dmvpn1_isakmp_profile
keyring dmvpn1_keyring
match identity address 0.0.0.0 dmvpn1
!
!
crypto ipsec transform-set aes256_sha esp-aes 256 esp-sha-hmac
mode transport
!
!
crypto ipsec profile dmvpn1_ipsec_profile
set security-association replay window-size 1024
set transform-set aes256_sha
set isakmp-profile dmvpn1_isakmp_profile

Georg Pauwen · ‎06-18-2020

Hello,

what does the original key look like ? As long as you are not using the same IP address in both keys, you are fine.

dmooreami · ‎06-18-2020

Thank you so much for setting this up in your lab!

ugh! we are using the 0.0.0.0 on the "pre-shared key" original per many cisco exampl e configs

Could we change the IP for Preshared key in dmvpn2 (new keyring for compA) to company A's external dmvpn IP address?

What are the options for using IP's on the preshared key? Or do should I use the 2951's "external" IP as the PSK Ip address?

2951 CompanyB original for CompB dmvpn routers

crypto keyring dmvpn1_keyring vrf dmvpn1
pre-shared-key address 0.0.0.0 0.0.0.0 key

New crypto key to connect to CompanyA

crypto keyring PublicVrf vrf dmvpn2
pre-shared-key address 0.0.0.0 0.0.0.0 key

Georg Pauwen · ‎06-18-2020

Hello,

what is acceptable when it comes to 'downtime' ? If you change the keys, the 'downtime' is probably not even noticeable...

dmooreami · ‎06-18-2020

What keys need changing? If you mean adding the keys, 100% acceptable for me to do a reboot of my 2951 for the new crypto keyring and isakamp profiles to become active.

If you mean change my current 2951 Preshared key to match CompanyA's PSK, not possible. I have at least 15 remote devices that would need their PSK to change. Thanks!

Georg Pauwen · ‎06-18-2020

Hello,

can you post the exact running config of both the hub and the spoke, without and with the changes you want to implement ? I want to lab that again, as I am not sure we are talking about the same 'changes'...

dmooreami · ‎06-19-2020

Sorry can't post them. The configlet I posted was the new add to my 2951 router.

It's two different companies DMVPN networks with two different pre-shared keys wanting to connect.

I am going to make the changes on my 2951 router to join their (CompA) dmvpn network since my multi-point network is smaller.

So CompA will not have to make any changes to their cryptokey keychain pre-shared key or their crypto Isakamp profile. . They will add a tunnel for my connection to their router.

From all the fantastic work you have done, is the sticking point the pre-shared key in the keychain?

I noticed in the old 2012 packet article the are using "local-address" commands.

Headend routers
crypto keyring CustomerA
local-address Loopback100
pre-shared-key address 0.0.0.0 0.0.0.0 key MySecretKeyA
crypto keyring CustomerB
local-address Loopback200
pre-shared-key address 0.0.0.0 0.0.0.0 key MySecretKeyB

Thanks

Georg Pauwen · ‎06-19-2020

Hello,

I have looked around and the 'local-address' seems to be used only in older (15.x) IOS versions.

Akso, I don't think 0.0.0.0 0.0.0.0 counts as the same IP address if you use it in both keys, as it can be any address.