Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
2
Replies

Cisco ASA Dynamic L2L VPN

de1denta
Level 3
Level 3

‎01-22-2018 02:27 AM - edited ‎03-12-2019 04:56 AM

Hi All,

 

I asked a similar question recently but I'm still not sure on the best approach for my requirement.

 

We have a large number of sites (~150) that need to connect to to our HQ using L2L VPN. All of these sites will have dynamic public IP addresses as they will be using either ADSL or 3G connections. 

 

I know that I can configure Dynamic L2L VPN on our headend Cisco ASA firewall to support this and we have tested this without any issues, however, as have to use a single PSK under the default L2L tunnel group, I have been questioning what happens if one of the site routers gets stolen. From what I can see we will need to change the PSK under the default tunnel group and on all of the remote site routers which is just not feasible.

 

As an alternative solution I looked at Cisco EasyVPN as we can use xauth. This will allow to us to create a unique username/password for each site that we can disable if a router get stolen. The only downside with EasyVPN is that it uses IKE aggressive mode which our auditors will probably frown upon and it also seems to be a depreciated technology. 

 

Does anyone have any further thoughts on a solution that will fit our requirements? I also looked at DMVPN but it seems that this also uses a single IPsec PSK and nhrp key for all sites which results in the same issue. Would using certificates instead of PSK be an option?

 

Many thanks

Labels:
0 Helpful
2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

‎01-22-2018 05:59 AM

You could also use key-ID as identity, this way you can create a tunnel-group for every branch ASA, and thus a different pre-shared key.

Have a look at the 2nd solution:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html#anc10

 

HTH

Bogdan

0 Helpful

Rob Ingram
VIP
VIP

‎01-22-2018 02:32 PM

You suggested DMVPN, but you could look at FlexVPN also. Either solution can use IKEv2 which allows you to have asynchronous PSK, this means you could have a seperate PSK per peer. Also IKEv2 is more secure and does not use aggressive mode.

 

Example

crypto ikev2 keyring KEYRING
 peer BRANCH4
  address 4.4.4.4
  pre-shared-key local cisco1234
  pre-shared-key remote 1234cisco
 peer BRANCH5
  address 5.5.5.5
  pre-shared-key local cisco5678
  pre-shared-key remote 5678cisco

 

Another option is you could also use AAA to authorize the authentications (the PSK for each spoke could be specified on the AAA server).

 

Certificates is probably the recommended authentication method, you'd just revoke the spoke certificate if compromised. However deployment of certificates is more complex though.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents