DMVPN for Back-up Only

Unanswered Question
Jul 8th, 2008
User Badges:
  • Silver, 250 points or more

We have remote site office with private link directly into corporate world. This is the primary circuit.

However, now looking to introduce dmvpn to act as back-up only. Although dmvpn is ipsec, the router still has public ip. As such the corporate would be potentially opened behind this router with no fw.

Which design and features would need to be introduced to protect the business to the same level it would normally?, i.e. dual-skinned fw architecture and vpn dmz's

thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Wed, 07/09/2008 - 08:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member


if you put an ACL on the public interface where you accept only the IPSec tunnels and the IKE negotiation you should provide enough security.

At the hub headquarters site you can use a firewall and put the DMVPN hub router in a DMZ as a further security measure.

Using IPsec AH and ESP you should provide antirepudiation, antireplay, avoid man in the middle etc.

For good security you should use a CA authority and use certificates and not a shared password.

In normal conditions you will have only the IGP hellos traveling in ipsec + mgre if the DMVPN is used only for backup.

hope to help



This Discussion