Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1522
Views
0
Helpful
1
Replies

DMVPN Security Concern

daniel-ma
Level 1
Level 1

‎02-03-2010 08:59 AM - edited ‎02-21-2020 04:29 PM

I am migrating our VPN network from traditional VPN to DMVPN. However I have a concern of security. Since nothing needs to be configured on HUB when turn on remote sites, so anyone who knows the parameters of the VPN settings can connect to our network from anywhere. How should we address this issue? Is there a way to do certificate based authentication? If so, could anyone send me the link of documents?

Thanks,

-Daniel

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎02-03-2010 12:58 PM

Since DMVPN relies on IPSEC phase 1 and 2 you can certainly do certificate based authentication for IKE just as any other
IPSec method, follow the next guidelines for the configuration and make sure that the CRL is valid and reachable, or else no Spoke will be able to connect:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pki_feat_rmap_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Long story short, you will rely on CRL to allow or disallow any cert that has been revoked by your admin, again make sure the crl list is reachable.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents