cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1801
Views
185
Helpful
31
Replies
Highlighted
Participant

DMVPN and L2TP (IPSec)

Dear all,

I am trying to integrate DMVPN and L2TP because i have different vendor devices.I have two DC.DC1 (Spoke4 ) is using non cisco. DC2 is using cisco.my spoke site are need to connect DC1 and DC2 .so i mix DMVPN and l2tp(IPSEC) .Please see the below diagram.

I am using delay value to choose the tunnel priority.But if i integrate l2tp with DMVPN is down. Please see error log.

How can i solve this problem.DC1 l2TP is already running IPSEC in production.now i need to do DMVPN only.but i worry it will be conflict each other. Please advice how to avoid ? 

 

 

31 REPLIES 31
Highlighted

Hi,

Thank,Do you mean if i us CSR and import to computer manually,my computers don't need to join domain,correct?

if i renew the certificate in CA server ,GPO will automatically push cert to domain clients ?

Now when i test with GPO auto enrollment,user certificate is auto install in domain clients but workstation cert cannot install auto to domain clients and cannot authenticate using workstation certificate.But i am still trying to test with user certificate.

Please see Let me know which subject format is the easiest way to cert authentication in 802.1x ?

 

Certificate TemplateCertificate Templatesubject field in CSRsubject field in CSR

I also want to know my existing network is already running with one VTI and one DMVPN tunnel in each site.

The all routers are using one rsa key pair and one trustpoint for both tunnels now.But i am not sure what happen if i add new tunnel for dual DMVPN.I worry the existing production network will be down.

Let me know any concern for this scenario ?

I have another question for your previous advice to use different rsa key and trustpoint for two different tunnel.

I also want to know if i create new rsa key with rsa key pair and new trustpoint in existing running runing routers,it will effect to exiting tunnel and certificates ?

 

 

Highlighted

Hi,

Yes, if you create a CSR on the computer it does not need to be joined to the domain.

 

The ROOT certificate on the CA should be created with a lifetime of 15-20 years, so usually would not need renewing. If you are referring to the identity certificate for the computer/users, this would usually have a lifetime of 2-3 years.  The GPO applied to the users/computers can be configured to auto-renew the certificate.

 

You shouldn't necessarily need to modify the certificates, use the "User" and "Computer" templates.

 

If you are adding another DMVPN tunnel and it is using the same certificate for authentication, this should be fine.

 

If you create a new keypair with a unique label this should not impact the existing keypair, just following the configuration previously supplied.

 

HTH