cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
210
Views
0
Helpful
3
Replies
Highlighted
Beginner

Test DMVPN one place and deploying in another

I staged a Cisco 1111 router for IPSec encrypted DMVPN deployment at a spoke site at one location. I pulled the certificate and didn't associate it with the IP address of the device nor the serial number of the device. When I sent it to the remote site it wouldn't come up at all. Is there anything I might have to do at the hub routers to make them forget that this spoke router once spoke to them from IP address A to turn up on IP address B? Or is it the case that if it turned up on IP address A it should come up no problem when it's new public IP address is address B? Thank you.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: Test DMVPN one place and deploying in another

Hi,
It should just work if the certificate is valid.
On the spoke's configuration are you validating the CRL? This may now no longer be reachable hence why it's failing.

If you could provide the isakmp/ikev2 debugs from the spoke router and it's configuration, we'll see what the output says.

HTH

View solution in original post

Highlighted
Collaborator

Re: Test DMVPN one place and deploying in another

Hi,

   

     Assuming both routers have certificates issued by the same CA, which means when you imported the certificate, you also imported the CA's certificate, the certificates should be trusted, so there should be no problem from the certificate point of view. Can you post the relevant VPN configuration? If you do NAT, ensure the VPN traffic is exempted from NAT. Post the output of "debug crypto isakmp" and "debug crypto ipsec".

 

Regards,

Cristian Matei.

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: Test DMVPN one place and deploying in another

Hi,
It should just work if the certificate is valid.
On the spoke's configuration are you validating the CRL? This may now no longer be reachable hence why it's failing.

If you could provide the isakmp/ikev2 debugs from the spoke router and it's configuration, we'll see what the output says.

HTH

View solution in original post

Highlighted
Collaborator

Re: Test DMVPN one place and deploying in another

Hi,

   

     Assuming both routers have certificates issued by the same CA, which means when you imported the certificate, you also imported the CA's certificate, the certificates should be trusted, so there should be no problem from the certificate point of view. Can you post the relevant VPN configuration? If you do NAT, ensure the VPN traffic is exempted from NAT. Post the output of "debug crypto isakmp" and "debug crypto ipsec".

 

Regards,

Cristian Matei.

View solution in original post

Highlighted
Beginner

Re: Test DMVPN one place and deploying in another

After weeks of denials - it turns out the ISP router at the little side had "gone out of bridge mode". And somehow this was preventing SSH connections to the ISR and preventing the tunnel to form to the hub. YET it was permitted general Internet traffic, BLAST protocol to VMWare UAG and as mentioned http to the DMVPN hub for certificate pull down. As the site was partially working I assumed an issue with our gear. Anyhow I'll leave it here for now as too much time has gone into this as it is. But I really appreciate the feedback because I was at the end of my rope! :-)