Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
3
Replies

Test DMVPN one place and deploying in another

Go to solution
CiscoMedMed
Level 1
Level 1

‎03-23-2020 09:53 PM

I staged a Cisco 1111 router for IPSec encrypted DMVPN deployment at a spoke site at one location. I pulled the certificate and didn't associate it with the IP address of the device nor the serial number of the device. When I sent it to the remote site it wouldn't come up at all. Is there anything I might have to do at the hub routers to make them forget that this spoke router once spoke to them from IP address A to turn up on IP address B? Or is it the case that if it turned up on IP address A it should come up no problem when it's new public IP address is address B? Thank you.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-24-2020 01:51 AM

Hi,
It should just work if the certificate is valid.
On the spoke's configuration are you validating the CRL? This may now no longer be reachable hence why it's failing.

If you could provide the isakmp/ikev2 debugs from the spoke router and it's configuration, we'll see what the output says.

HTH

View solution in original post

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-24-2020 10:54 AM

Hi,

   

     Assuming both routers have certificates issued by the same CA, which means when you imported the certificate, you also imported the CA's certificate, the certificates should be trusted, so there should be no problem from the certificate point of view. Can you post the relevant VPN configuration? If you do NAT, ensure the VPN traffic is exempted from NAT. Post the output of "debug crypto isakmp" and "debug crypto ipsec".

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎03-24-2020 01:51 AM

Hi,
It should just work if the certificate is valid.
On the spoke's configuration are you validating the CRL? This may now no longer be reachable hence why it's failing.

If you could provide the isakmp/ikev2 debugs from the spoke router and it's configuration, we'll see what the output says.

HTH
0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-24-2020 10:54 AM

Hi,

   

     Assuming both routers have certificates issued by the same CA, which means when you imported the certificate, you also imported the CA's certificate, the certificates should be trusted, so there should be no problem from the certificate point of view. Can you post the relevant VPN configuration? If you do NAT, ensure the VPN traffic is exempted from NAT. Post the output of "debug crypto isakmp" and "debug crypto ipsec".

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
CiscoMedMed
Level 1
Level 1
In response to Cristian Matei

‎03-24-2020 11:33 AM

After weeks of denials - it turns out the ISP router at the little side had "gone out of bridge mode". And somehow this was preventing SSH connections to the ISR and preventing the tunnel to form to the hub. YET it was permitted general Internet traffic, BLAST protocol to VMWare UAG and as mentioned http to the DMVPN hub for certificate pull down. As the site was partially working I assumed an issue with our gear. Anyhow I'll leave it here for now as too much time has gone into this as it is. But I really appreciate the feedback because I was at the end of my rope! :-)
0 Helpful
Customers Also Viewed These Support Documents