I am looking to redesign my current VPN architecture to take advantage of the new DMVPN features. I currently have a hub/spoke design with Cisco 1710 routers as the spokes and a Cisco 3005 VPN Concentrator as the hub.
My first question would be what hardware should I look to purchase for the hub, assuming that the 3005 does not support DMVPN features.
Also, Ive always thought of allowing dynamic addresses to initiate VPN tunnels as a bit of a security risk since someone would only have to guess the isakmp key to impersonate a spoke and initiate a tunnel. Can anyone suggest/explain how to combat this if you implement DMVPN? Should the hub device just be in your DMZ and you rely on ACLs at your PIX to limit this threat from getting into your intranet?
Any assistance and/or personal experiences would be greatly appreciated.
There is a tool called the feature navigator on cisco.com. This tool will help you make a choice based on device, IOS version or features. I guess you should give it a try. Broadly however, I think DVMRP was introduced in 12.2(13)T and is supported on platforms supporting the same.
We currently use several IOS boxes, 26 / 36 / 71 / 72xx's, with IOS GRE in IPSec. Security is provided by the following:
No split tunneling/default route
Default route on the "inside" of the network, stateful
rotating key encryption, PFS
regular changing of the ISAKMP keys
Physical security of the routers
As I see DMVPN (we set up a test configuration in our lab), yes, you are authenticating based on ISAKMP. Preshared keys alone are not enough to pass our audit standards, so we go the extra distance to secure the VPN network.
There are a number of benefits to a GRE/IPSec combination solution for a VPN network though, enough in our case to outweigh the additional work that it takes to maintain the configuration.
When we looked at NHRP/DMVPN, we decided to stay with our current static GRE/IPSec, and add GRE keepalive.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...