Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9093
Views
185
Helpful
31
Replies

DMVPN and L2TP (IPSec)

MrBeginner
Spotlight
Spotlight

‎02-20-2019 03:03 AM - edited ‎02-21-2020 09:34 PM

Dear all,

I am trying to integrate DMVPN and L2TP because i have different vendor devices.I have two DC.DC1 (Spoke4 ) is using non cisco. DC2 is using cisco.my spoke site are need to connect DC1 and DC2 .so i mix DMVPN and l2tp(IPSEC) .Please see the below diagram.

I am using delay value to choose the tunnel priority.But if i integrate l2tp with DMVPN is down. Please see error log.

How can i solve this problem.DC1 l2TP is already running IPSEC in production.now i need to do DMVPN only.but i worry it will be conflict each other. Please advice how to avoid ? 

 

 

Labels:
Preview file
100 KB
Preview file
13 KB
Preview file
74 KB
Preview file
11 KB
Preview file
10 KB
0 Helpful
31 Replies 31

MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎03-07-2019 05:30 PM

Hi,

Thank,Do you mean if i us CSR and import to computer manually,my computers don't need to join domain,correct?

if i renew the certificate in CA server ,GPO will automatically push cert to domain clients ?

Now when i test with GPO auto enrollment,user certificate is auto install in domain clients but workstation cert cannot install auto to domain clients and cannot authenticate using workstation certificate.But i am still trying to test with user certificate.

Please see Let me know which subject format is the easiest way to cert authentication in 802.1x ?

 

Certificate TemplateCertificate Templatesubject field in CSRsubject field in CSR

I also want to know my existing network is already running with one VTI and one DMVPN tunnel in each site.

The all routers are using one rsa key pair and one trustpoint for both tunnels now.But i am not sure what happen if i add new tunnel for dual DMVPN.I worry the existing production network will be down.

Let me know any concern for this scenario ?

I have another question for your previous advice to use different rsa key and trustpoint for two different tunnel.

I also want to know if i create new rsa key with rsa key pair and new trustpoint in existing running runing routers,it will effect to exiting tunnel and certificates ?

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to MrBeginner

‎03-08-2019 02:35 AM

Hi,

Yes, if you create a CSR on the computer it does not need to be joined to the domain.

 

The ROOT certificate on the CA should be created with a lifetime of 15-20 years, so usually would not need renewing. If you are referring to the identity certificate for the computer/users, this would usually have a lifetime of 2-3 years.  The GPO applied to the users/computers can be configured to auto-renew the certificate.

 

You shouldn't necessarily need to modify the certificates, use the "User" and "Computer" templates.

 

If you are adding another DMVPN tunnel and it is using the same certificate for authentication, this should be fine.

 

If you create a new keypair with a unique label this should not impact the existing keypair, just following the configuration previously supplied.

 

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents