07-14-2013 08:22 PM - edited 02-21-2020 07:01 PM
I have a decided to enact a dual-cloud DMVPN (1 headend in primary office, 1 headend in DR location) architecture with the option later to go to dual-hub in each of my headend locations.
I was trying to configure each of the clouds to have its own key.
hub 1 cloud 1:
crypto isakmp key KEY123 address 0.0.0.0 0.0.0.0 no-xauth
hub 1 cloud 2:
crypto isakmp key KEY456 address 0.0.0.0 0.0.0.0 no-xauth
Of course, the spokes that i wish to connect to both clouds would not allow me to use the same simple crypto isakmp key command twice.
Many of my sites will have 2 internet connections. Since I source a tunnel from each of these Internet connections, I came up with the following solution:
spoke 1:
crypto keyring X-RING
local-address Gig0/1 (interface of internet connection 1)
pre-shared key address 0.0.0.0 0.0.0.0 key 0 KEY123
crypto keyring Y-RING
local-address Gig0/2 (interface of internet connection 2)
pre-shared key address 0.0.0.0 0.0.0.0 key 0 KEY456
crypto isakmp profile DMVPN_ISAKMP_X
keyring X-RING
match identity address 0.0.0.0
local-address Gig0/1
crypto isakmp profile DMVPN_ISAKMP_Y
keyring Y-RING
match identity address 0.0.0.0
local-address Gig0/2
ok.... to the question... the first site I tried to connect to both DMVPN clouds only has 1 internet connection!
Without changing both my DMVPN clouds to the same key (almost all the examples have this) - how do i ensure that spoke-hub and spoke-spoke tunnels work?
Is there something else I can match? or create on each of the spoke and hub configs?
I tried:
- match identity group <group>, but couldnt figure out how to set a group name on each of the spokes - or the hub for that matter. Also, wouldnt no-xauth prevent this from being examined?
- match fqdn doesnt seem to work either.
- vrf is not an option - not applicable
- loopbacks behind the internet ip address don;t seem to be an option and would seem to complicate the issue too much.
Thanks much in advance!
Solved! Go to Solution.
07-15-2013 10:58 PM
There's no something special with PKI when regarding to DMVPN. PKI or pre-shared keys it's just how isakmp authenticates the session, and there's no difference between DMVPN or Site-to-Site.
Basically, you'd have to do this things:
- create CA. The basic one may be set up on some of your routers.
-create the Trustpoint on each DMVPN hub and spokes.
-change type of authentication in isakmp profile from pre-share to rsa-sig.
Surely you may have more then one trustpoint, one for each cloud, but i highly doubt that with PKI it's needed.
Maybe this doc will be of some help, although it has too much info:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html
If you need, i may bring up some complete example for site-to-site with PKI auth.
07-14-2013 11:04 PM
Surely the best thing here is to use certificates, so it'll eliminate all this questions. Is it gonna be phase 2/3 DMVPN? In phase 1 you can easily put VPN-hub IP address/key in the global keyring. To your config, and if you're planning to have phase 2 or 3, I can't think of easy way to accomplish this. You only have an option to match IP addresses in your ISAKMP profiles as peer identity, when using pre-shared keys for authentication. So again - if it's phase 1 - no problem. Just put exact ip addresses of the hubs to the crypto isakmp key ..... command. If it's phase 2 or 3 - use PKI.
07-15-2013 08:27 PM
it is phase 2 and I plan on moving to phase 3. That is why the 0.0.0.0 match is required.
I've seen some PKI config information, but have trouble finding anything current -- and especially something that shows PKI integration with DMVPN. Do you know of any good document?
Until PKI is ready, To solve the above problem, I think I will just use a manual failover between tunnels for this site that only has 1 internet conection - and order a second Internet connection for redundancy.
07-15-2013 10:58 PM
There's no something special with PKI when regarding to DMVPN. PKI or pre-shared keys it's just how isakmp authenticates the session, and there's no difference between DMVPN or Site-to-Site.
Basically, you'd have to do this things:
- create CA. The basic one may be set up on some of your routers.
-create the Trustpoint on each DMVPN hub and spokes.
-change type of authentication in isakmp profile from pre-share to rsa-sig.
Surely you may have more then one trustpoint, one for each cloud, but i highly doubt that with PKI it's needed.
Maybe this doc will be of some help, although it has too much info:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html
If you need, i may bring up some complete example for site-to-site with PKI auth.
07-14-2013 11:12 PM
- match fqdn doesnt seem to work either.
I forgot. For this to work, you should enable aggressive mode for isakmp. It's done under isakmp profile configuration, using initiate mode aggressive command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide