Hello!

We are currently running multiple dmvpn clouds using certificates as authentication.

We are in need of replacing our old PKI solution, and i was wondering what would be the best way to move forward to get as smooth of a migration as possible. We are mostly using two hubs per cloud, and spokes can vary from a couple to 50-100. We are looking for as little of downtime as possible.

In theory, as i understand it, i should be able to run both the old and the new ones(we are running two new servers for redundancy) simultaneously on a device, and keep the tunnels up?

I have the new pki solution up and running and i'm wondering if these are the correct steps for migration? I was thinking that i add the trustpoints and crypto map on the hubs first to allow both the old and new ones. Then i force 1 and 1 of the spokes over?

Hub:

* Configure the two trustpoints and enroll them

* Add a crypto to specify what trustpoint to prioritize:

crypto map DMVPN client authentication list <OldTrustpoint> <NewTrustpoint1> <NewTrustpoint2>
crypto map DMVPN isakmp authorization list <OldTrustpoint> <NewTrustpoint1> <NewTrustpoint2>

Spoke:

* Configure the two trustpoints and enroll them

* Add a crypto to specify what trustpoint to prioritize:

crypto map DMVPN client authentication list <NewTrustpoint1> <NewTrustpoint2> <OldTrustpoint>
crypto map DMVPN isakmp authorization list <NewTrustpoint1> <NewTrustpoint2> <OldTrustpoint>

Then clear the tunnels on a spoke to force it to authenticate using the new trustpoint.(is this needed?)

Would also welcome any other suggestions from those of you that have done this before