DMVPN using different authentication modes

fsebera · ‎10-06-2010

I have a complete Cisco DMVPN phase II wan setup with several spokes.

I don't have administrative management over several spokes and the spokes I do manage, I have to upgrade the authentication from pre-shared keys to PKI. The DMVPN Hub will become the CA.

The routers that I don't manage, the management of these routers do not want to upgrade to PKI authentication at this point - And this is a layer 8 issue.

Never-the-less, I must move forward.

In order to suport the new DMVPN WAN setup, Is this where the crypto keyring technology comes into the picture?

And could anyone provide a simple example of crypto keyring with authenticated pre-shared and PKI peers?

Thanks again

Frank

wzhang · ‎10-06-2010

Hi, Frank:

Actually for what you are trying to do here, you really don't need to use crypto keyring, which is typically used together with isakmp profiles. To migrate some of your dmvpn spokes to use certificates while leave the rest of them to still use PSK, it's surprisingly simple to do. All you have to do is:

1. Enroll the spokes that are going to do certificate authentication with the CA to get the id certs

2. Enroll the hub with the CA to get its id cert

2. Remove the isakmp policy that has pre-shared keys from spokes using certificates

and that's it! There is a default isakmp policy that supports certificates (rsa-sig) in IOS, and that's the policy the spokes with certificate authentication will use. With the pre-shared key isakmp policy still in place on the hub, it should be able to authenticate both types of spokes.

Thanks,

Wen