cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1111
Views
5
Helpful
4
Replies

Auto restore and backup the CA server database without tunnels going down?

Deepak Ambotkar
Level 1
Level 1

Hello,

We are setting up DMVPN using PKI for authentication for better security.

I have setup a CA server and clients scenario in the LAB and it is working fine. I am aware that we can save the database to the external media or a server.

Now if my primary or main CA server fails, the certificate database will not be available untill I manually import these certificates back to the router and till then my all peerings will be down (am i correct?).

I would like to setup 2 routers as CA servers. 1st one acting as a primary server having a public IP and 2nd will be backup in case the primary fails. But I would like to set this as an automated where if 1st router fails the backup will take over immediately without tunnels going down.

Is there a way we can do this? Has anyone implemented this design before? Please help.

Thanks,

Deepak

1 Accepted Solution

Accepted Solutions

My design is such that there will not be "pre-shared keys" and only "PKI".

That's the main purpose of a PKI-setup ... ;-)

So in this case if peers have already established the connection to other peers and the CA server goes down then they will not go down, is that correct?

right. The IPSec-peers don't care about the CA unless the cert needs to be enrolled or the CRL needs to be checked.

Also what is the configuration command to allow the connections if the CRL can't be loaded?

crypto ca trustpoint YOUR_TRUSTPOINT

  revocation-check crl none

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

4 Replies 4

Your VPNs won't go down if the CA is not available. The CA is only needed if you want to issue an additional certificate for a new spoke. The authentication between the peers don't need the CA.

BUT: If your routers want to query the CRL before accepting a peer, then the CA could be needed as the CRL by default is hold by the CA. To solve that problem there are two solutions (well, there are more, but these are common):

1) Publish the CRL to an external webserver

2) Allow the connection if the CRL can't be loaded.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten,

Thanks again for your inputs. I would like to know more on this scenario. My design is such that there will not be "pre-shared keys" and only "PKI". So in this case if peers have already established the connection to other peers and the CA server goes down then they will not go down, is that correct? Also what is the configuration command to allow the connections if the CRL can't be loaded?

Thanks,

Deepak

My design is such that there will not be "pre-shared keys" and only "PKI".

That's the main purpose of a PKI-setup ... ;-)

So in this case if peers have already established the connection to other peers and the CA server goes down then they will not go down, is that correct?

right. The IPSec-peers don't care about the CA unless the cert needs to be enrolled or the CRL needs to be checked.

Also what is the configuration command to allow the connections if the CRL can't be loaded?

crypto ca trustpoint YOUR_TRUSTPOINT

  revocation-check crl none

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Full points again. I am new into security stuff so..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: