using IOS CA or alternate solution -- HELP

Marcin Zgola · ‎03-30-2010

I have to convert one of my client DMVPN setups with 78 remote sites using a pre shared key to some kind of certificates. I want to be able to revoke certificate if needed, and also i want to be in charge of approviing certificate requests.

this is needed in case of my client needs to hire a consultant to replace the router (DMVPN Spoke) he does not want him to have any knoweldge of preshared key that are being used. Using certificates will take care of the concern.

What would be the best route to go?

- cisco router as CISCO IOS CA Server

- changing current DMVPN to use certificates

- go with GET VPN

- go with Microsoft CA server

I am pretty sure someone over there uses certificates for Enterprise VPN authentication .

Please advice.

thank you

CCIE 18676

Federico Coto Fajardo · ‎03-30-2010

Hi,

Actually any of the options that you mentioned should work fine.

IOS CA Server will use the router as the CA authority
GET VPN, relatively new VPN technology
Microsoft CA server, will use a Windows Server for CA authority

Personally, I have experience with the Microsoft CA Server for Enterprise and IOS CA for smaller environments.
I have not experienced with GET VPN yet, though it seems a very cool technology

Either path you choose, involves quite a change and work, so if you're going to put this much effort on it, I'll go with
GET VPN.

It really depends on what you currently have and what you need.
If you have any questions let us know, perhaps we can help you further.

Federico.