Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

DMVPN running ISAKMP in manual mode

Our main objective is to increase security on our DMVPN WAN using the current Cisco equipment.

We are currently using pre-shared keys on our DMVPN IPsec setup.

We would like to move to RAS locally generated keys but our Cisco routers (spokes) have crypto accelerator cards which prevents the use of the RSA keys. We cannot move to Certs at this point.

We then tried to upgrade from IKEv1 to IKEv2 but the Cisco hub routers with the latest IOS code, do not support IKEv2.

We thought we could use ISAKMP in manual mode but this calls for crypto maps.

I cannot locate any documentation that refers to DMVPN and IKSAMP manual mode.

Anyone have a URL or a configuration that supports DMVPN and ISAKMP manual mode in a Cisco environment?

Tks

Frank

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: DMVPN running ISAKMP in manual mode

Frank,

What do you mean exactly by "manaul" isakmp? ISAKMP is key management protocol - ie dynamic.

If you mean manual keys for IPsec as described here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093c26.shtml

They do not provide any additional security tho.

IKE v2 has been intriduced in 15.0 I belive, I have not seen (yet?) a deployment with DMVPN and IKEv2 (not sure if that's even supported at this time).

Please note that any IOS router can be a CA at the same time as DMVPN hub or spoke. If you wish to deploy certificates.

If it's added security you're looking for, a quick way you can add it is for example adding authentication proxy to access resources via tunnel.

Marcin

Re: DMVPN running ISAKMP in manual mode

He means manual IPSec

BTW that is not secure

here is how to configure it

http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+III+Virtual+Private+Networks+VPNs/Chapter+10+Cisco+IOS+IPSec+for+Preshared+Keys/Configuring+IPSec+Manually/

The SA NEVER expires so a hacker could get the information required to proxy a connection.

BTW the Link is great there are some books there.

Cisco Employee

Re: DMVPN running ISAKMP in manual mode

Frank,

You don't want to play with manual ipsec, 99,999% of the time you wasn to use IKE.

IKEv1 especially aggresive mode has it's shortcomings but I would not call it "broken"

Regarding setting up a cisco router as CA:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps6441_TSD_Products_Configuration_Guide_Chapter.html

This is a good place to start.

I've done quite a few tests of those in production and outside.

What you might want to do is to have internal CA with extranlly available CDP (ie. CA writing CDP on an exetrnal server and later on the CRL is available via HTTP).

You can configure all IOS routers to enroll online via SCEP, quite nifty

As you will read you'll most likekly find a thosand questions in your head ;-)

Let me know if you need something more.

Marcin

4 REPLIES
Cisco Employee

Re: DMVPN running ISAKMP in manual mode

Frank,

What do you mean exactly by "manaul" isakmp? ISAKMP is key management protocol - ie dynamic.

If you mean manual keys for IPsec as described here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093c26.shtml

They do not provide any additional security tho.

IKE v2 has been intriduced in 15.0 I belive, I have not seen (yet?) a deployment with DMVPN and IKEv2 (not sure if that's even supported at this time).

Please note that any IOS router can be a CA at the same time as DMVPN hub or spoke. If you wish to deploy certificates.

If it's added security you're looking for, a quick way you can add it is for example adding authentication proxy to access resources via tunnel.

Marcin

Re: DMVPN running ISAKMP in manual mode

He means manual IPSec

BTW that is not secure

here is how to configure it

http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+III+Virtual+Private+Networks+VPNs/Chapter+10+Cisco+IOS+IPSec+for+Preshared+Keys/Configuring+IPSec+Manually/

The SA NEVER expires so a hacker could get the information required to proxy a connection.

BTW the Link is great there are some books there.

Bronze

Re: DMVPN running ISAKMP in manual mode

Sorry, I as not real clear.

What I thought I wanted to setup was:

Ex:

crypto map (**K**E**Y**) 10 ipsec-manual and tie into DMVPN.

I don't think I can setup crypto maps with DMVPN if the encryption/decryption and tunnel end-points are on the same Cisco box.

It appears Cisco wants you to use Pre-shared keys OR Certs.

I thought since IKEv1 has been "broken" and IKEv2 is not available on the DMVPN Hub Cisco router (only available on the spoke Cisco 881G router), I would revert to manual IPsec mode. I assumed this would be a better way to proceed since the issues with IKEv1.

But, if I can use a Cisco router to distribute Certs and verify the Certs for the DMVPN setup then this is a much better option while being the most secure.

I will pursue the Cert option.

Any good docs available?

Thanks again for the support!

Frank

Cisco Employee

Re: DMVPN running ISAKMP in manual mode

Frank,

You don't want to play with manual ipsec, 99,999% of the time you wasn to use IKE.

IKEv1 especially aggresive mode has it's shortcomings but I would not call it "broken"

Regarding setting up a cisco router as CA:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps6441_TSD_Products_Configuration_Guide_Chapter.html

This is a good place to start.

I've done quite a few tests of those in production and outside.

What you might want to do is to have internal CA with extranlly available CDP (ie. CA writing CDP on an exetrnal server and later on the CRL is available via HTTP).

You can configure all IOS routers to enroll online via SCEP, quite nifty

As you will read you'll most likekly find a thosand questions in your head ;-)

Let me know if you need something more.

Marcin

457
Views
0
Helpful
4
Replies
CreatePlease to create content