Solved: Re: DMVPN and Point-to-Point (IPSec) - Page 2

UCrypto · ‎09-11-2018

Dear All,

PLease help me:

I would like to know DMVPN and Point to Point (IPSec) can run in one router ? I mean two type of VPN can run together ?
If i will use GBP for DMVPN ,how many RAM will need in minimum ?
For BGP in DMVPN, my remote as is ISP AS number and PE router IP(gateway IP)?
For my DMVPN,can I use AS number are (100,200,300 etc) ?

Francesco Molino · ‎09-21-2018

Yes this will helps learning all mpls routes to build tunnels. You can control what you want to advertise. For example, if you're adding dmvpn on top of mpls, you'll just advertise your loopbacks and your ce-to-pe prefixes, then build the dmvpn and run bgp to learn all internal subnets from each site.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎09-25-2018

Dear Francesco Molino,

i setup DMVPN in Lab before operation. i can test easily DMVPN with preshare key but when i import MS CA and using CA authentication for DMVPN i got the

%CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of Spoke-1.radiuslocal.com (type 2) and certificate fqdn with radiuslocal-CA error message.

PLease see the attachment files and help me.May i know is it my configuration error ? is it CA error ? please hlep me how can i solved it?

crypto isakmp policy 100
encr 3des
hash md5
group 2
exit

crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = AZT cn=radiuslocal-CA
exit

crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
exit

crypto isakmp profile DMVPN
ca trust-point radiuslocal.com
match certificate CERT-MAP-DMVPN
exit

crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
exit

int tunnel 1
tunnel protection ipsec profile DMVPN

Francesco Molino · ‎09-25-2018

Based on what I see it's a config issue but before saying it and why, I would ask you to share the output of sh cryp pki certificat on the hub and spoke please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎09-25-2018

Dear Francesco Molino,

Please see the output and advice me,

I configure MS CA and create IPSec Certificate Template by using IPSec Offline Template .I download MS root CA and install to router and enroll and the copy key enrollment request key from router paste in url of MS CA (http://localhost/certsrv/certrqxt.asp ) and download key and import to router again. is it correct ?

cbtme-HUB(config-if)#do sh cryp pki cert
Certificate
Status: Available
Certificate Serial Number (hex): 3D000000092D5574E3DBA9931E000000000009
Certificate Usage: General Purpose
Issuer:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Subject:
Name: radiuslocal-CA
cn=radiuslocal-CA
ou=IT
o=HUB
st=SG
c=SG
CRL Distribution Points:
ldap:///CN=radiuslocal-CA,CN=CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=radiuslo cal,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:32:10 UTC Sep 26 2018
end date: 01:32:10 UTC Sep 25 2020
Associated Trustpoints: radiuslocal-man

CA Certificate
Status: Available
Certificate Serial Number (hex): 1F78C201A5A6798A4FE931B28E154D66
Certificate Usage: Signature
Issuer:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Subject:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Validity Date:
start date: 14:39:26 UTC Sep 19 2018
end date: 14:49:24 UTC Sep 19 2028
Associated Trustpoints: radiuslocal-man

Spoke-1(config-if)#do sh crypto pki cert
Certificate
Status: Available
Certificate Serial Number (hex): 3D0000000A9F30B2552C01207300000000000A
Certificate Usage: General Purpose
Issuer:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Subject:
Name: radiuslocal-CA
cn=radiuslocal-CA
ou=IT
o=Spoke-1
st=SG
c=SG
CRL Distribution Points:
ldap:///CN=radiuslocal-CA,CN=CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=radiuslo cal,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 09:36:34 SG Sep 26 2018
end date: 09:36:34 SG Sep 25 2020
Associated Trustpoints: radiuslocal-man

CA Certificate
Status: Available
Certificate Serial Number (hex): 1F78C201A5A6798A4FE931B28E154D66
Certificate Usage: Signature
Issuer:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Subject:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Validity Date:
start date: 22:39:26 SG Sep 19 2018
end date: 22:49:24 SG Sep 19 2028
Associated Trustpoints: radiuslocal-man

Francesco Molino · ‎09-26-2018

If you want to use certificate, you can leverage mscep or use terminal enrollment. The last one will give you a csr that you need to sign with your MS CA going to http://ms-ca-srv/certsrv and paste back on the router the cert.
Here you have the same cert on both side with same cn and also same as root ca. Change it before proceeding and we will analyse afterwards the new debug.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎09-27-2018

Hi Francesco Molino,
Some time i request CA to sign with ms CA ( http://ms-ca-srv/certsrv and paste back on the router the cert )
i got the error message => the public key does not meet the minimum size required by the specified certificate template

i don't know why ? i already set minimun key size is 2048 in Template.

Francesco Molino · ‎09-27-2018

Did you import the CA certificate? Which trustpoint are you using the one with scep url ?
If so, you don't need to paste anything, just follow the steps:
crypto pki authenticate TRUSTPOINT-NAME --> it'll get your CA cert
crypto pki enroll TRUSTPOINT-NAME --> it'll request and install its cert

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎09-29-2018

Francesco Molino
Did you import the CA certificate? Which trustpoint are you using the one with scep url ?
i use import the CA cerfificate by using enrollment terminal command because i want to manually import certificate into router of branches.

If so, you don't need to paste anything, just follow the steps:
crypto pki authenticate TRUSTPOINT-NAME --> it'll get your CA cert
Yes i copy and past root CA of MS CA which is already downloaded as base 64.

crypto pki enroll TRUSTPOINT-NAME --> it'll request and install its cert
Yes when i use this command,this command generated request key in terminal and i copy these keys and paste into request key box of url http://ms-ca-srv/certsrv and

then i click summit that time i got the certificate.

crypto pki import TRUSTPOINT-NAME cert--> it'll install its cert

after this command i got below error message:
the public key does not meet the minimum size required by the specified certificate template and cannot request CA.

UCrypto · ‎09-29-2018

Hi,
i got that error in enterprise ca.
i can import and run dmvpn with ca by using standlone ca.i don't know why ?

UCrypto · ‎09-30-2018

Hi Francesco Molino,
now everything is ok. i installed and configure new ca and i change some config in My router.Now my dmvpn is runnig with IPSec. But i would like to know different between two configuration. May i know which one is best practice for DMVPN ?
In previous configuration i use below command:
crypto isakmp policy 100
encr 3des
hash md5
group 2
exit

crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = AZT cn=radiuslocal-CA
exit

crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
exit

crypto isakmp profile DMVPN
ca trust-point radiuslocal.com
match certificate CERT-MAP-DMVPN
exit

crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
exit

but now i am using below without certificate map:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication rsa-sig
group 2
exit
!

crypto ipsec transform-set TS1 esp-aes 256 esp-sha256-hmac
exit
!
crypto ipsec profile VPNPROF1
set transform-set TS1
exit

Francesco Molino · ‎09-30-2018

The transform-set will always be transport mode in most of DMVPN architecture. Having a certificate map can help you filter which certificate you'll allow at the end to connect (you can says to validate a specific OID of your certificate and authorise only these ones to build up a VPN tunnel for example). The isakmp is better now with highest encryption and hash algorithm but still have group 2 (1024 bits). If you want something more secure and if your device is capable to handle it I would recommend going to group 15 (3072 bits) or move directly to group 19/20 (elliptic curve group)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎09-30-2018

Hi,
i am using isakmp group 2 in test enveroment.
I would if i use certificate map i got the error.
If i have only one certificate, i don't need to use certificate map command correct?
If i use ebgp in hub and hub router have two isp link,do i need to sperate AS in hub router or can i use one AS for two isp link?

Francesco Molino · ‎09-30-2018

You can use certificate map even if you have 1 certificate. As I said, you can use it to filter which cert you allow to authenticate.
You will have 1 AS on your router. You can show an another as based on on neighbors but i don't see why you would do that.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎09-30-2018

Hi,

Sorry .i got confused in configuration because i am beginner in DMVPN.

i followed below links.I got no issue and it is not using crypto pki certificate map command.

https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/117688-config-dmvpn-00.html

it is different ?

when i use crypto pki certificate map command

i got the below attachment error.

UCrypto · ‎09-30-2018

Hi,

Sorry .i got confused in configuration because i am beginner in DMVPN.

i followed below links.I got no issue and it is not using crypto pki certificate map command.

https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/117688-config-dmvpn-00.html

it is different ?

when i use crypto pki certificate map command

i got the below attachment error.