cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1782
Views
0
Helpful
11
Replies

getting started with dmvpn

sjanke
Beginner
Beginner

I am getting started with dmvpn. all my spokes will connect via the internet. from a design standpoint is it perfered to have the hub as the ca or have a standalone box as the ca (ms)? If there is a standalone box then it will need to accessible from the internet so the spoke routers can get the cert to complete phase 1 of the vpn.  which is the same for the hub router if it is to perform ca duties.

thanks,

Steve

11 Replies 11

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

It's best to have a dedicated CA which is not directly connected to the internet. If you have, take an older router that has no other functionality any more. Even a 2600-XM will work fine as a CA. Of course you can also use a MS-CA. If that is not possible, you can implement the CA on the Hub.

The spokes don't need to reach the CA for VPN-establishment. They only need to rech the CA while their certificates are enrolled. If you want to check the CRLs from the spokes, then the CRL-server has to be reachable from the internet. By default the CRLs are stored on the CA, but you can also use a "normal" webserver for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

since this will be a dual hub deployment and there will be spoke to spoke communcation, is there any insight you may offer from your experience with this type of dmvpn deployment?

As it stands now, from what i've read or over read, lol. I will have the hubs handle the ca and crl roles.

an addtional question that comes up is security of dmvpn network if a device wanders to someones home or finds its way to ebay. the unsuspecting person plugs the router in and powers up the device, whola it is connected to my network.

once I am informed of a missing device how can I revoke this devices cert or are there other ideas on how to handle this?

That's exactly the reason for using certificates and not wildcard-PSKs. You can revoke the certificate and the hub has to check the validity of the cert and the spoke is banned from the network. Of course you have to be aware of your missing router ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

With dual hubs it's better to have two independent DMVPNs. One to Hub1, one to Hub2.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

sjanke
Beginner
Beginner

I'd hate to waste a two routers for a CA role if I have ACS deployed. Any idea if i can use ACS as the CA?

No, thats not possible. The ACS has no CA-functionality.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

i got the CA spilt out and spokes can complete phase1. pretty sweet setup. so now i'm looking at having the tunnel interfaces use dhcp. I found a supporting documnet and configuration setting however the spoke isn't getting an ip addy from the dhcp server.  typically a ip helper-address command is specificed but in the cisco doc it was not required per the example.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-dhcp-tunnels.html

spoke

ip address dhcp

ip dhcp client broadcast-flag clear

hub

ip dhcp support tunnel unicast

any ideas, thanks!

I don't have experience with that feature, but why do you want to use that? Do you have so many spokes that it wouldn't scale without? I always set the Tunnel IP based on branch-numbers.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

It would easy our deployment process. Currently 400 sites use dmvpn. 360 are used as back up, the rest use it as the sole connection to corporate resources, we've forcasted addtional an a average of 20 sites a year to use dmvpn.

it appears that the hub could sit behind ASA firewall with GRE and other ISAKMP/IPSec ports open and nat'd correctly.

Any known issues with hub placemnet behind the ASA?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers