11-21-2012 09:46 AM - edited 02-21-2020 06:30 PM
Hello Cisco Masters,
I'm new in cisco world. I was woundering if any one could help me in my scenario :
Suppose there is a DMVPN with IPSEC. The "crypto isakmp key address" is configured for a range of routers connected to the hub.
If the preshared key compromised , it's so hard to change the isakmp preshare key in lots of spoke routers.
Is there a way that the pre shared key could be send to the router via Radius or tacacs server ?
I search and found it's completely possible via cisco dynamic VTI
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/ikessaaa.html
but it needs static crypto map and use dynamic vti .
Is there a way to use this solution with dmvpn ? Do you know any links that describe such scenario in dmvpn ?
Thanks for reading my post
Best Regards
11-21-2012 01:58 PM
Hi Kazem,
This feature is only supported in aggresive mode which means that the pre-shared-key will be exchanged across an unprotected connection, this means that the key may be compromised even more often.
I would recommend to you to use PKI instead.
http://www.m00nie.com/2011/11/dmvpn-with-pki-authentication-gns3-lab/
PKI Service for Large Scale IPSec Aggregation
Hope to help.
Thanks.
Please rate any helpful posts.
11-21-2012 11:44 PM
U should not use aggressive mode.....If I can capture the exchange, it's trivial to get the key....
There is a way of acheiving this by using ikev2 flexvpn. U need an ISR G2 or ASR.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide