DMVPN Security Concern

Unanswered Question
Feb 3rd, 2010

I am migrating our VPN network from traditional VPN to DMVPN. However I have a concern of security. Since nothing needs to be configured on HUB when turn on remote sites, so anyone who knows the parameters of the VPN settings can connect to our network from anywhere. How should we address this issue? Is there a way to do certificate based authentication? If so, could anyone send me the link of documents?

Thanks,

-Daniel

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 02/03/2010 - 12:58

Since DMVPN relies on IPSEC phase 1 and 2 you can certainly do certificate based authentication for IKE just as any other
IPSec method, follow the next guidelines for the configuration and make sure that the CRL is valid and reachable, or else no Spoke will be able to connect:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pki_feat_rmap_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Long story short, you will rely on CRL to allow or disallow any cert that has been revoked by your admin, again make sure the crl list is reachable.

Actions

This Discussion