cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1387
Views
5
Helpful
4
Replies

Certificate-based DMVPN

Michael Grann
Level 1
Level 1

Greetings, I would like to ask anyone who has implemented DMVPN using certificates (IOS CA) if you can please share your experience/configs. How do you get the spokes to authenticate/enroll to the CA when you are running VRFs (the only way i've successfully enrolled the spoke is if the interface used to reach the CA is in the Global route table).

 

Regards and TIA,

Mike

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Mike, 

You can specify desired VRF under trustpoint config.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2-z.html#wp2661907057

 

M.

View solution in original post

4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Mike, 

You can specify desired VRF under trustpoint config.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2-z.html#wp2661907057

 

M.

Hi Marcin,

Thank you so much for this info.

MikeG

Mike, 

for best practices.

- (on IOS CA) Export your RSA keys and keep the on an encrypted storage somewhere else, ideally in a different DC.

- Store your CRL at a separate location, not on the IOS device. Availability of CRL via HTTP is ideal. (I've seen people using FTP) LDAP is to be avoid with IOS devices.  

- Scale up by introducing sub-CAs (one per organization for example). 

- Remember to make CRL highly available. (DNS load balancing and HTTP should work).

For the rest ... depends on your setup :-)

M.

 

Thanks for this icing on the cake! I will add these to my SOP.

Regards,

MikeG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: