Hi everybody,

I'm working on a VPN hub-to-spoke design with 100s of spokes. Some of the sites will be very remote and it is not always possible in some countries to get an internet connection with a static IP address.

Please correct my assumptions if they are wrong:

If I was to use pre-shared keys I would have to use wildcard pre-shared keys which means that if one of the branch router configs was compromised, anybody could create a tunnel to my core site. So pre-shared keys is not practical.

So I am considering using digital certificates. I would enroll the router before deployment and then use auto-enrollment after that. The CA sever would be on the LAN behind the headend box.

I have two main questions:

1. If a hacker got physical access to a spoke vpn node, would it be possible for him to copy the certificate from our router to another router in order to create a new connection himself. ie can digital certs be copied from the cisco router? I am worried about having to use dynamic IPs. Are there any obvious security risks in this design?

2. I will be using small routers e.g. 1841 as the spokes. I understand they will need to use NTP to work with certificates. I am not sure that I will be able to get an NTP source at each spoke site. If I open up a port on the VPN router to get NTP directly from a public NTP server does this present a significant risk?

Thanks for any advice or answers. I will rate any useful comments.

Thanks

Mike