Our main objective is to increase security on our DMVPN WAN using the current Cisco equipment.
We are currently using pre-shared keys on our DMVPN IPsec setup.
We would like to move to RAS locally generated keys but our Cisco routers (spokes) have crypto accelerator cards which prevents the use of the RSA keys. We cannot move to Certs at this point.
We then tried to upgrade from IKEv1 to IKEv2 but the Cisco hub routers with the latest IOS code, do not support IKEv2.
We thought we could use ISAKMP in manual mode but this calls for crypto maps.
I cannot locate any documentation that refers to DMVPN and IKSAMP manual mode.
Anyone have a URL or a configuration that supports DMVPN and ISAKMP manual mode in a Cisco environment?
You don't want to play with manual ipsec, 99,999% of the time you wasn to use IKE.
IKEv1 especially aggresive mode has it's shortcomings but I would not call it "broken"
Regarding setting up a cisco router as CA:
This is a good place to start.
I've done quite a few tests of those in production and outside.
What you might want to do is to have internal CA with extranlly available CDP (ie. CA writing CDP on an exetrnal server and later on the CRL is available via HTTP).
You can configure all IOS routers to enroll online via SCEP, quite nifty
As you will read you'll most likekly find a thosand questions in your head ;-)
Let me know if you need something more.
He means manual IPSec
BTW that is not secure
here is how to configure it
The SA NEVER expires so a hacker could get the information required to proxy a connection.
BTW the Link is great there are some books there.
What do you mean exactly by "manaul" isakmp? ISAKMP is key management protocol - ie dynamic.
If you mean manual keys for IPsec as described here:
They do not provide any additional security tho.
IKE v2 has been intriduced in 15.0 I belive, I have not seen (yet?) a deployment with DMVPN and IKEv2 (not sure if that's even supported at this time).
Please note that any IOS router can be a CA at the same time as DMVPN hub or spoke. If you wish to deploy certificates.
If it's added security you're looking for, a quick way you can add it is for example adding authentication proxy to access resources via tunnel.