DMVPN - IPSEC - AAA

kazem_hex · ‎11-21-2012

Hello Cisco Masters,

I'm new in cisco world. I was woundering if any one could help me in my scenario :

Suppose there is a DMVPN with IPSEC. The "crypto isakmp key address" is configured for a range of routers connected to the hub.

If the preshared key compromised , it's so hard to change the isakmp preshare key in lots of spoke routers.

Is there a way that the pre shared key could be send to the router via Radius or tacacs server ?

I search and found it's completely possible via cisco dynamic VTI

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/ikessaaa.html

but it needs static crypto map and use dynamic vti .

Is there a way to use this solution with dmvpn ? Do you know any links that describe such scenario in dmvpn ?

Thanks for reading my post

Best Regards

Javier Portuguez · ‎11-21-2012

Hi Kazem,

This feature is only supported in aggresive mode which means that the pre-shared-key will be exchanged across an unprotected connection, this means that the key may be compromised even more often.

I would recommend to you to use PKI instead.

http://www.m00nie.com/2011/11/dmvpn-with-pki-authentication-gns3-lab/

PKI Service for Large Scale IPSec Aggregation

Hope to help.

Thanks.

Please rate any helpful posts.

olpeleri · ‎11-21-2012

U should not use aggressive mode.....If I can capture the exchange, it's trivial to get the key....

There is a way of acheiving this by using ikev2 flexvpn. U need an ISR G2 or ASR.