Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3180
Views
8
Helpful
6
Replies

dmvpn - PSK to Certificate

Rajagopal Sivaramakrishnan
Level 1
Level 1

‎03-22-2017 08:07 PM - edited ‎02-21-2020 09:12 PM

Hi All

We have around 150 dmvpn+ipsec tunnels to a hub. There are multiple hubs in different clouds. for eg

spoke 1 ------ tunnel 1 ----- hub 1

------- tunnel 2 ------- hub 2 (failover)

In this setup.. if hub 1 ipsec policy is converted from PSK to cert based, im sure all the 150 remote sites having the primary tunnel to Hub 1 will be down  ? Sites might still be up with tunnel 2 though.. Is it right ?

Is the next step to go to each spoke, and convert the ipsec profile to remove PSK and add PKI authentication ? 

Can someone help assessing the impact when migatiing from PSK to PKI ?

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-22-2017 08:14 PM

You don't have to do "big bang".  You could allow both PSK and certificate based authentication, migrate the sites over, and then turn off the PSK authentication.

Another safe way would be to deploy another DMVPN tunnel configured to only do certificate based authentication.  Convert all the spokes across to this and then remove the original tunnel.

And you could also do exactly what you have suggested, enable PKI, let the tunnels fail over to hub2, and then migrate all the spokes over, and then lastly migrate hub2.

It's touch when you have many solutions to choose from that should work.  Your option, of failing over to hub2 would be nice and simple (assuming you don't have direct spoke to spoke communication).

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎03-22-2017 08:15 PM

This could also be a golden time to upgrade to IKEv2 and stronger crypto if your deployment is a little old and can support newer technologies.

Rajagopal Sivaramakrishnan
Level 1
Level 1
In response to Philip D'Ath

‎03-23-2017 06:31 AM

Can PSK and PKI co-exist with the same tunnel ? I agree .. configuring a new tunnel makes it easy. but im confused on how they can co-exist..  obviously the authentication method is specified in the crypto statements... so, if i remove PSK from the crypto, wouldnt the existing tunnels using PSK go down ?

if i have t totally new crypto policy and crypto map - then its easy to put a new tunnel in the DMVPN hub, and use that for anything needing cert authentication.. Right ? If not - do the big bang.

crypto isakmp policy 1
 encr aes 192
 group 2
(removed PSK authentication)

int tunnel 0 
tunnel protection ipsec profile DMVPN
0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Rajagopal Sivaramakrishnan

‎03-25-2017 01:32 AM

Just create a second isakmp policy that uses certificates.  Then you can use both at the same time.  Note that certificate authentication is the default, so you just need:

crypto isakmp policy 1
 encr aes 192
 group 2
 authentication pre-share

crypto isakmp policy 10
 encr aes 192
 group 2
0 Helpful

mhamburger
Level 1
Level 1
In response to Philip D'Ath

‎10-16-2018 07:54 AM

Are there any examples of a PSK to Certificate migration using IKEv2?

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to mhamburger

‎10-16-2018 05:58 PM

there is no off the shelf document on how to migrate.

 

personally, I would go to IKEv2 first and then add certs or vice versa, so the two dont potentially interfere when you migrate.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents