Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Certificate-based DMVPN

Greetings, I would like to ask anyone who has implemented DMVPN using certificates (IOS CA) if you can please share your experience/configs. How do you get the spokes to authenticate/enroll to the CA when you are running VRFs (the only way i've successfully enrolled the spoke is if the interface used to reach the CA is in the Global route table).

 

Regards and TIA,

Mike

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Mike, You can specify desired

Mike, 

You can specify desired VRF under trustpoint config.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2-z.html#wp2661907057

 

M.

4 REPLIES
Cisco Employee

Mike, You can specify desired

Mike, 

You can specify desired VRF under trustpoint config.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2-z.html#wp2661907057

 

M.

New Member

Hi Marcin,Thank you so much

Hi Marcin,

Thank you so much for this info.

MikeG

Cisco Employee

Mike, for best practices.-

Mike, 

for best practices.

- (on IOS CA) Export your RSA keys and keep the on an encrypted storage somewhere else, ideally in a different DC.

- Store your CRL at a separate location, not on the IOS device. Availability of CRL via HTTP is ideal. (I've seen people using FTP) LDAP is to be avoid with IOS devices.  

- Scale up by introducing sub-CAs (one per organization for example). 

- Remember to make CRL highly available. (DNS load balancing and HTTP should work).

For the rest ... depends on your setup :-)

M.

 

New Member

Thanks for this icing on the

Thanks for this icing on the cake! I will add these to my SOP.

Regards,

MikeG

378
Views
5
Helpful
4
Replies
CreatePlease to create content