Solved: DMVPN and Point-to-Point (IPSec) - Page 3

UCrypto · ‎09-11-2018

Dear All,

PLease help me:

I would like to know DMVPN and Point to Point (IPSec) can run in one router ? I mean two type of VPN can run together ?
If i will use GBP for DMVPN ,how many RAM will need in minimum ?
For BGP in DMVPN, my remote as is ISP AS number and PE router IP(gateway IP)?
For my DMVPN,can I use AS number are (100,200,300 etc) ?

Francesco Molino · ‎09-30-2018

I'll try another explanation.

Let's say you have a global PKI pushing certificates to a bunch of devices. You only want devices with a specific suffix dns to authenticate on the dmvpn cloud like net.xxx.com while all others have xxx.com. here you'll use a certificate map to filter and accept only certificates with this specific suffix.

It should with and without certificate map.
In your debug you got the error:
Unable to match the certificate map configured in the profile

Which means you've misconfigured your certificate map.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎09-30-2018

HI,
Thank you for your help frequently.
let me know if in our design can i run without certificate map because i can't fix certificate map yet.
i know my confiiguration is wrong but i can't not find which part is wrong. i changed cn=NAME,ou=NAME and subject name and issue user but still got error.Please my config.

crypto isakmp policy 100
encr 3des
hash md5
group 2

crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co cn=ekiosk-dc-CASVR-CA
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
crypto isakmp profile DMVPN
ca trust-point TrustedCA
match certificate CERT-MAP-DMVPN

crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN

Please see my certificate

Cbtme-Hub#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 4500000015D326F9235D23E748000000000015
Certificate Usage: General Purpose
Issuer:
cn=ekiosk-dc-CASVR-CA
dc=ekiosk-dc
dc=local
Subject:
Name: cbtme-hub
cn=cbtme-hub
o=ekiosk-dc.local
CRL Distribution Points:
ldap:///CN=ekiosk-dc-CASVR-CA,CN=CASVR,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ekiosk-dc,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 03:18:21 UTC Oct 1 2018
end date: 03:18:21 UTC Sep 30 2020
Associated Trustpoints: TrustedCA
Storage: nvram:ekiosk-dc-CA#15.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 2C36ACF2728DC8A74F93DE5AFE9769B6
Certificate Usage: Signature
Issuer:
cn=ekiosk-dc-CASVR-CA
dc=ekiosk-dc
dc=local
Subject:
cn=ekiosk-dc-CASVR-CA
dc=ekiosk-dc
dc=local
Validity Date:
start date: 06:58:17 UTC Sep 30 2018
end date: 07:08:17 UTC Sep 30 2028
Associated Trustpoints: TrustedCA
Storage: nvram:ekiosk-dc-CA#69B6CA.cer

Francesco Molino · ‎10-01-2018

Yes you can move forward without it.
Your issue is that on your certificate map you have:
subject-name co cn=ekiosk-dc-CASVR-CA

This cn ekiosk-dc-CASVR-CA is the your ca authority.
Your hub cert has cbtme-hub. Let's assume your spoke has cbtme-spoke1, you can have a certificate map like:
subject-name co cn=cbtme

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-02-2018

Thank.

I have one question : i imported certificate into routers and saved with do wr command in GNS3.

and close the gns3 and then i open saved project.I didn't see my certificate in my routers.I saw certificate query message in terminal.

I just want to know it is GNS error or it is certificate process ? if it is GNS3 error,it is OK for me :P

if i restart the router ,my certificate will query again ?

Cbtme-Hub#sh crypto pki trustpoints status
Trustpoint dmvpn-ca:
Issuing CA certificate pending:
Fingerprint: 00000000 00000000 00000000 00000000
Router certificate pending:
Next query attempt:
Certificate query is in progress

Cbtme-Hub#
Cbtme-Hub#

Francesco Molino · ‎10-02-2018

What kind of router do you use in gns3?

To be honest, it's been a while I've not configured anything like certificates on GNS3, using exclusively virl.
But i would be and to test this in gns3.
Can you explain how you did import the cert and are you using a cert coming from a corp pki?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-03-2018

Hi,
I use enroll terminal command to use manual import
and
crypto pki authenicate <trustpoint name>
>>>>i paste MS Root CA <<<<<
crypot pki enroll <trustpoint name>
>>>i got request code <<<<< and i go to CA server .I click request certificate on browser and past that request code and summit and download Certificate.

crypto pki import <trustpoint name>
i paste downloaded Certificate from MS CA url.
These are my certificate import process.
and Btw let me know what is different between pki and ike2 ?
crypto pki policy ....... and crypto Ike2 policy ......
crypto pki proposal and crypto ike2 policy
let me know which one is recommended way ?
and i want to know about c890 router.It router have 8x switch port and 2x want port.
what kind of useful for 8 x 1G switch port because those are L2 only.I cann't route to WAN port.
For eg. let say we don't have other switch.we have this c890 router only.how to use this switch port for internet browsing ?
i create SVI but it is doesn't work.

Francesco Molino · ‎10-03-2018

For losing certificate into gns3, i need to test but won't be able to do it before weekend.
Pki is about certificate installation while ikev2 is a tunneling protocol and used to set up a security association in the IPsec protocol suite.

The 8 ports switched are used, for example, when you have a small site without any switch. As you said, you create and assign vlans in these ports and create the SVI on the router. But to make it working, like give internet access of attached devices, you will need to configure the nat as well.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-04-2018

Hi,

Sorry for wrong question. I really want to know is isakmp va ikev2 with one is better for DMVPN and what is different.

please see below link.

http://secureinlife.blogspot.com/p/dmvpn-phase-3-with-ikev2.html

http://secureinlife.blogspot.com/p/task-encrypt-traffic-from-loopback.html

In your previous answer,you told me to run local perf for EBGP failover, is it correct?

DO i need to use route map and local preference ?

for DMVPN ,I need to create 2 tunnel in my CE ,correct ? The best way is different Tunnel IP,subnet and NHRP ID ? In spoke how to choose priority of tunnel ?

Let me know.

Francesco Molino · ‎10-04-2018

Ok I'm getting lost here. You're moving and switching with different questions at the same time.
Ikev2 has some advanced features compared to ikev1 like nat traversal, eap support, ....
Take a look here:
https://en.m.wikipedia.org/wiki/Internet_Key_Exchange

There are many documents in internet going into details.

I talked about bgp local pref to prefer routes from a tunnel against the other.

You can apply local-pref on the neighbor with empty match statement in the route-maps to prefer all receiving routes from that neighbor. If you use a route-map with match statement then you'll apply a local-pref on specific routes.

You'll have 2 tunnels but not mandatory to have a different nhrp id. They can be part of the same dmvpn cloud.

On spoke side: if you mean priority on hubs then you can play with nhrp cluster. If you have 2 tunnel interfaces and you want to prioritize a tunnel over the other, you can play with routing.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco Molino · ‎10-06-2018

I've tested with GNS3. I enrolled my trustpoint and get my certificate from Windows PKI. I reloaded and the router kept CA and its certificates. I shutdown my GNS3 topology, restarted it and still get all my certificates.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-06-2018

Hi ,

Thanks for your help.Now i know that it is my GNS3 error.Now i am trying to test with real devices.

But now got another problem.i asked with other topic in this forum. i got 802.1x problem for wired network with NPS. i use auto enrollment certificate with GPO. I use static VLAN in switch.I didn't use dynamic vlan assign in IPS.

Let me can it work because everybody are using dynamic vlan?

But My server didn't recognized my computer as trusted.

my Radius said invilad client request.I think it is my certificate error.

I just want to know ,what kind of subject name will use for certificate ?

i use user certificate template and subject name is PNP.

In Certificate issued to drop drown list of NPS, what kind of certificate do i need to us i need to use local computer certificate or root CA ?.

I am still confuse about this. I think i input wrong information request to create certificate

Because i got below info in NPS event viewer

Log Name: Security

Source: Microsoft-Windows-Security-Auditing
Date: 10/7/2018 2:30:48 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: CA.cadc.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: CADC\azt
Account Name: azt@cadc.local
Account Domain: CADC
Fully Qualified Account Name: cadc.local/eKiosk/azt

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 00-AA-6E-2A-50-0A
Calling Station Identifier: 40-16-7E-45-F2-67

NAS:
NAS IPv4 Address: 192.168.1.101
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50110

RADIUS Client:
Client Friendly Name: Cisco Switch
Client IP Address: 192.168.1.101

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: eKiosk 802.1x
Authentication Provider: Windows
Authentication Server: CA.cadc.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.

<Correlation ActivityID="{A68ECF03-5D8A-0000-4DD0-8EA68A5DD401}" />
<Execution ProcessID="612" ThreadID="4240" />
<Channel>Security</Channel>
<Computer>CA.cadc.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3858713045-1423114026-2227573672-1104</Data>
<Data Name="SubjectUserName">azt@cadc.local</Data>
<Data Name="SubjectDomainName">CADC</Data>
<Data Name="FullyQualifiedSubjectUserName">cadc.local/eKiosk/azt</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">-</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="CalledStationID">00-AA-6E-2A-50-0A</Data>
<Data Name="CallingStationID">40-16-7E-45-F2-67</Data>
<Data Name="NASIPv4Address">192.168.1.101</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">-</Data>
<Data Name="NASPortType">Ethernet</Data>
<Data Name="NASPort">50110</Data>
<Data Name="ClientName">Cisco Switch</Data>
<Data Name="ClientIPAddress">192.168.1.101</Data>
<Data Name="ProxyPolicyName">Use Windows authentication for all users</Data>
<Data Name="NetworkPolicyName">eKiosk 802.1x</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">CA.cadc.local</Data>
<Data Name="AuthenticationType">PEAP</Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">265</Data>
<Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
<Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
</EventData>
</Event>

UCrypto · ‎10-06-2018

Hi ,

Thanks for your help.Now i know that it is my GNS3 error.Now i am trying to test with real devices.

But now got another problem.i asked with other topic in this forum. i got 802.1x problem for wired network with NPS. i use auto enrollment certificate with GPO.But My server didn't recognized my computer as trusted.

my Radius said invilad client request.I think it is my certificate error.

I just want to know ,what kind of subject name will use for certificate ? i use user certificate template and subject name is PNP. In Certificate issued to drop drown list of NPS, what kind of certificate do i need to us i need to use local computer certificate or root CA ?.I am still confuse about this. I think i input wrong information request to create certificate

Because i got below info in NPS event viewer

Log Name: Security

Source: Microsoft-Windows-Security-Auditing
Date: 10/7/2018 2:30:48 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: CA.cadc.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: CADC\azt
Account Name: azt@cadc.local
Account Domain: CADC
Fully Qualified Account Name: cadc.local/eKiosk/azt

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 00-AA-6E-2A-50-0A
Calling Station Identifier: 40-16-7E-45-F2-67

NAS:
NAS IPv4 Address: 192.168.1.101
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50110

RADIUS Client:
Client Friendly Name: Cisco Switch
Client IP Address: 192.168.1.101

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: eKiosk 802.1x
Authentication Provider: Windows
Authentication Server: CA.cadc.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.

<Correlation ActivityID="{A68ECF03-5D8A-0000-4DD0-8EA68A5DD401}" />
<Execution ProcessID="612" ThreadID="4240" />
<Channel>Security</Channel>
<Computer>CA.cadc.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3858713045-1423114026-2227573672-1104</Data>
<Data Name="SubjectUserName">azt@cadc.local</Data>
<Data Name="SubjectDomainName">CADC</Data>
<Data Name="FullyQualifiedSubjectUserName">cadc.local/eKiosk/azt</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">-</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="CalledStationID">00-AA-6E-2A-50-0A</Data>
<Data Name="CallingStationID">40-16-7E-45-F2-67</Data>
<Data Name="NASIPv4Address">192.168.1.101</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">-</Data>
<Data Name="NASPortType">Ethernet</Data>
<Data Name="NASPort">50110</Data>
<Data Name="ClientName">Cisco Switch</Data>
<Data Name="ClientIPAddress">192.168.1.101</Data>
<Data Name="ProxyPolicyName">Use Windows authentication for all users</Data>
<Data Name="NetworkPolicyName">eKiosk 802.1x</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">CA.cadc.local</Data>
<Data Name="AuthenticationType">PEAP</Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">265</Data>
<Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
<Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
</EventData>
</Event>

Francesco Molino · ‎10-06-2018

I replied on your other post.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-09-2018

Hi Francesco Molino,

https://community.cisco.com/t5/user/viewprofilepage/user-id/321306

Thanks for your help.As your help, i can run IPSec with MS CA correctly.

But now i have miss understand for eBGP configuration of my DMVPN design.Pleae help to clear.

According to my network design,

I want to know :

1. Do i need to run static route to two routers of ISP ? it is enought eBGP neighboring ? ( there are same AS but different routers and different IP)

2. Do i need to use loopback to peer ISP router ? i want to use physical interface to peer ISP routers, is it oK?

3. In my design,do i need to run any other under line protocol (OSPF or EIGRP ) ? MY understanding is not required.

4.For Spoke site,each spoke need to peer to ISP router only ? OR every spoke need to peer to all spokes and HUS router ?

5.Each Spoke site need to peer two IP of HUB router ?

UCrypto · ‎10-09-2018

Hi Francesco Molino,

https://community.cisco.com/t5/user/viewprofilepage/user-id/321306

Thanks for your help.As your help, i can run IPSec with MS CA correctly.

But now i have miss understand for eBGP configuration of my DMVPN design.Pleae help to clear.

According to my network design,

I want to know :

1. Do i need to run static route to two routers of ISP ? it is enought eBGP neighboring ? ( there are same AS but different routers and different IP)

2. Do i need to use loopback to peer ISP router ? i want to use physical interface to peer ISP routers, is it oK?

3. In my design,do i need to run any other under line protocol (OSPF or EIGRP ) ? MY understanding is not required.

4.For Spoke site,each spoke need to peer to ISP router only ? OR every spoke need to peer to all spokes and HUS router ?

5.Each Spoke site need to peer two IP of HUB router ?