Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
10
Helpful
5
Replies

Ipsec dynamic map with certificate

MrBeginner
Spotlight
Spotlight

‎05-18-2021 11:30 AM

Hi,

i would like to do hub and spoke vpn setup.i already tested dynamic map with preshare key.

  1. let me know can we do dynamic map using certificate.let me know the sample config or reference link?
  2. do we have other way to create  multi ipsec tunnel on hub router without using dynamic map? i want to use pure ipsec.i caanot use gre or vti.

 

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎05-18-2021 11:41 AM

Hi @MrBeginner 

You are using Cisco IOS router right? or ASA/FTD?

 

If using hub and spoke, the recommended approach would be FlexVPN or DMVPN, assuming you are using a cisco router. Cisco considers crypto maps as legacy. Most up to date cisco documentation for cisco IOS router VPNs, is based on FlexVPN and to a lesser extent DMVPN.

 

What certificate authority are you intending to use IOS router, Microsoft CA or?

 

Links:

FlexVPN certificate authentication

IOS Router certificate enrolment

MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎05-18-2021 06:52 PM - edited ‎05-18-2021 09:08 PM

Hi @Rob Ingram ,

I cannot use DMVPN Hub is cisco router and spoke are different brands. So i consider dynamic map.

i will use microsoft ca.

Let me know any issue on dynamic map with certificate ?

I also want to know ipsec tunnel can carry ospf route ?

0 Helpful

Rob Ingram
VIP
VIP
In response to MrBeginner

‎05-19-2021 12:06 AM

@MrBeginner Ok, what are the other vendors used? You can't run a routing protocol over a crypto map without using GRE. If you cannot use a routing protocol over the VPN, you can use Reverse Route Injection (RRI) to learn the VPN routes for established tunnels and redistribute them locally via routing protocol.

MrBeginner
Spotlight
Spotlight

‎05-20-2021 03:37 AM

Hi ,

I would like to know if i apply ipsec profile on WAN interface and soure is WAN IP and BGP neighbor relationship is also using WAN IP, it is any problem on encryption ? 

0 Helpful

Rob Ingram
VIP
VIP
In response to MrBeginner

‎05-20-2021 03:46 AM

@MrBeginner 

I assume you mean apply crypto map to the WAN interface? If so, then if the WAN interface IP address and the BGP peer is not defined in the crypto ACL (to define the interesting traffic) then the traffic would never match, nor attempted to be encrypted. It should therefore be fine.

 

0 Helpful
Customers Also Viewed These Support Documents