cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1094
Views
0
Helpful
2
Replies

Dual DMVPN

YORKIE23
Level 1
Level 1

Hello All,

     What I would like to do is have a hub that has dual DMVPN tunnels to the spokes.  The ultimate goal of our network is to have the spokes authenticate to each other using PKI with IKEv2 on the tunnel.  Right now, I can get the the spokes to authenticate to eachother using PKI, but I first have to enroll them with the CA/Hub then set the tunnel to use PKI/IKEv2.  Works like a charm.  The issue is that we would like the spokes to authenticate to the hub with a tunnel using PSK/IKEv2, obtain their certificate, then use the certificate to do further authenticating. I cannot do this with one tunnel (or at least I haven't found a way to make it work) because when using IKEv2 the tunnel can accept various forms of authentication from others, but can only be configured to present one form.  This is the reason we have decided to use two tunnels.  One that allows the initial enrollment to the hub via PSK then the second for the rest of the communication.  I have brought up the idea that as we bring new systems online, we enroll them then set the tunnel to use PKI.  Problem solved, but it was brought to my attention that two tunnels would be best in case one ever experiences an issue.  What would be the most feasible and scalable method to do this?  Let me add that I have tried to just make a second tunnel, but when I apply the ipsec profile, it interferes with the first tunnel even those the profiles are different (meaning I don't need the share command).  I have made sure that the network-ids and tunnel keys were different.   

Note:  We are using loopback addresses as our tunnel source.  

 

I really hope that all made sense.  Two tunnels. One with PSK and one with PKI.  Both using IKEv2.  One hub to many spokes. 

1 Accepted Solution

Accepted Solutions

Thank you for your response and I apologize for taking so long to respond.  Your answer was exactly what I was looking for and ensures me that what we were attempting to do would work.  The problem, which has now resolved itself, was that when we would try to bring up the second tunnel with ipsec, the first one would come down.  I have had the tunnel configured with different sources and this has allowed both tunnels to remain up.  NOW I am just having a problem with the PKI which I will create a different post for. Thank you so much.  

View solution in original post

2 Replies 2

Hi there,

 

I guess you could use multiple IKEv2 profiles, use the configured local and remote identities to match against a different IKEv2 profile, which is configured 1 with PSK the other with certificates. Therefore you'd require 2 tunnels, 2 ipsec profiles, 2 ikev2 profiles.

 

If it was me personally I'd have a dedicated Hub router (can be low spec) using IKEv2 with PSK purely for the initial certificate enrollment. On the spoke have 2 tunnel interfaces, using one for certificate enrollment procedure.  Once certificate enrollment has taken place i'd shutdown that interface and bring up the main tunnel that uses the certificates. You could use an EEM to script this procedure. I'd use the 2 main Hub routers dedicated as Dual Hub (no PSK, certificates only), load balance across both or use one as a standby (routing protocol metric).

 

HTH

 

 

Thank you for your response and I apologize for taking so long to respond.  Your answer was exactly what I was looking for and ensures me that what we were attempting to do would work.  The problem, which has now resolved itself, was that when we would try to bring up the second tunnel with ipsec, the first one would come down.  I have had the tunnel configured with different sources and this has allowed both tunnels to remain up.  NOW I am just having a problem with the PKI which I will create a different post for. Thank you so much.