06-18-2020 07:12 AM
we have two different company DMVN hubs (phase 3), that need to connect to provide connectivity".
Each company needs to preserve the crypto keyring and crypto isakmp profile on each Hub, to maintain connectivity with their existing "spokes".
What is the best practice to for CompanyB to add Company A's crypto keyring and isakamp profile to the config?
Can't seem to find anything that points how to do this.
Will adding another keyring and profile "disrupt" our existing keyring to CompB endpoints?
Running Cisco IOS 15 code, not IOS-XE code on CompB dmvpn hub.
yes we will be creating another "tunnel" on CompB router. Also ACL's will be used to limit routes passed between the two endpoints.
06-18-2020 07:55 AM
Hi,
It depends on your configuration. But theoretically, it should not be.
06-18-2020 08:12 AM
06-18-2020 08:47 AM
Hi,
I am considering that your design is look like this article: https://packetlife.net/blog/2012/jan/9/multiple-dmvpns-single-hub/
06-18-2020 10:03 AM
06-18-2020 10:27 AM
Hello,
I'll lab this up. So basically you have a phase 3 DMVPN and want to add a second keyring ? I assume that you using IKEv1 ?
06-18-2020 10:46 AM - edited 06-18-2020 10:47 AM
here is what we have to add to Company B's 2951 router.
Rremoved the IP's and some other things.
===adding to CompanyB 2951 ====
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set ABC_DMVPN_Trans esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile ABC_DMVPN
set transform-set ABC_DMVPN_Trans
crypto keyring PublicVrf vrf dmvpn2
pre-shared-key address 0.0.0.0 0.0.0.0 key keyforCompanyA
interface Tunnel6000
description Internet IPSEC DMVPN
bandwidth 100000
ip address x.x.x.x 255.255.254.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip nhrp authentication xyzpdq
ip nhrp map multicast dynamic
ip nhrp map 1.1.1.1 2.2.1.1
ip nhrp map multicast X.X.x.x
ip nhrp map 1.1.2.1 2.2.2.2
ip nhrp map multicast x.x.x.x
ip nhrp map multicast X.x.x.x
ip nhrp map 1.1.3.1 2.2.3.1
ip nhrp network-id 60
ip nhrp holdtime 300
ip nhrp nhs x.x.x.x
ip nhrp nhs x.x.x.x
ip nhrp nhs x.x.x.x
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 1234
tunnel path-mtu-discovery
tunnel vrf dmvpn2
tunnel protection ipsec profile ABC_DMVPN shared
==============================
========Current CompanyB crypto and ipsec info=====
crypto keyring dmvpn1_keyring vrf dmvpn1
pre-shared-key address 0.0.0.0 0.0.0.0 key CompanyB-rtrkey
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 5
crypto isakmp aggressive-mode disable
crypto isakmp profile dmvpn1_isakmp_profile
keyring dmvpn1_keyring
match identity address 0.0.0.0 dmvpn1
!
!
crypto ipsec transform-set aes256_sha esp-aes 256 esp-sha-hmac
mode transport
!
!
crypto ipsec profile dmvpn1_ipsec_profile
set security-association replay window-size 1024
set transform-set aes256_sha
set isakmp-profile dmvpn1_isakmp_profile
06-18-2020 12:25 PM
Hello,
what does the original key look like ? As long as you are not using the same IP address in both keys, you are fine.
06-18-2020 12:52 PM
Thank you so much for setting this up in your lab!
ugh! we are using the 0.0.0.0 on the "pre-shared key" original per many cisco exampl e configs
Could we change the IP for Preshared key in dmvpn2 (new keyring for compA) to company A's external dmvpn IP address?
What are the options for using IP's on the preshared key? Or do should I use the 2951's "external" IP as the PSK Ip address?
2951 CompanyB original for CompB dmvpn routers
crypto keyring dmvpn1_keyring vrf dmvpn1
pre-shared-key address 0.0.0.0 0.0.0.0 key
New crypto key to connect to CompanyA
crypto keyring PublicVrf vrf dmvpn2
pre-shared-key address 0.0.0.0 0.0.0.0 key
06-18-2020 02:18 PM
Hello,
what is acceptable when it comes to 'downtime' ? If you change the keys, the 'downtime' is probably not even noticeable...
06-18-2020 02:56 PM
06-18-2020 11:06 PM
Hello,
can you post the exact running config of both the hub and the spoke, without and with the changes you want to implement ? I want to lab that again, as I am not sure we are talking about the same 'changes'...
06-19-2020 06:19 AM
Sorry can't post them. The configlet I posted was the new add to my 2951 router.
It's two different companies DMVPN networks with two different pre-shared keys wanting to connect.
I am going to make the changes on my 2951 router to join their (CompA) dmvpn network since my multi-point network is smaller.
So CompA will not have to make any changes to their cryptokey keychain pre-shared key or their crypto Isakamp profile. . They will add a tunnel for my connection to their router.
From all the fantastic work you have done, is the sticking point the pre-shared key in the keychain?
I noticed in the old 2012 packet article the are using "local-address" commands.
Headend routers
crypto keyring CustomerA
local-address Loopback100
pre-shared-key address 0.0.0.0 0.0.0.0 key MySecretKeyA
crypto keyring CustomerB
local-address Loopback200
pre-shared-key address 0.0.0.0 0.0.0.0 key MySecretKeyB
Thanks
06-19-2020 11:23 AM
Hello,
I have looked around and the 'local-address' seems to be used only in older (15.x) IOS versions.
Akso, I don't think 0.0.0.0 0.0.0.0 counts as the same IP address if you use it in both keys, as it can be any address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide