07-15-2014 05:16 AM - edited 02-21-2020 07:43 PM
Greetings, I would like to ask anyone who has implemented DMVPN using certificates (IOS CA) if you can please share your experience/configs. How do you get the spokes to authenticate/enroll to the CA when you are running VRFs (the only way i've successfully enrolled the spoke is if the interface used to reach the CA is in the Global route table).
Regards and TIA,
Mike
Solved! Go to Solution.
07-15-2014 05:34 AM
Mike,
You can specify desired VRF under trustpoint config.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2-z.html#wp2661907057
M.
07-15-2014 05:34 AM
Mike,
You can specify desired VRF under trustpoint config.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2-z.html#wp2661907057
M.
07-15-2014 08:24 AM
Hi Marcin,
Thank you so much for this info.
MikeG
07-15-2014 08:37 AM
Mike,
for best practices.
- (on IOS CA) Export your RSA keys and keep the on an encrypted storage somewhere else, ideally in a different DC.
- Store your CRL at a separate location, not on the IOS device. Availability of CRL via HTTP is ideal. (I've seen people using FTP) LDAP is to be avoid with IOS devices.
- Scale up by introducing sub-CAs (one per organization for example).
- Remember to make CRL highly available. (DNS load balancing and HTTP should work).
For the rest ... depends on your setup :-)
M.
07-15-2014 12:27 PM
Thanks for this icing on the cake! I will add these to my SOP.
Regards,
MikeG
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: