Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN Security Concern

I am migrating our VPN network from traditional VPN to DMVPN. However I have a concern of security. Since nothing needs to be configured on HUB when turn on remote sites, so anyone who knows the parameters of the VPN settings can connect to our network from anywhere. How should we address this issue? Is there a way to do certificate based authentication? If so, could anyone send me the link of documents?

Thanks,

-Daniel

1 REPLY

Re: DMVPN Security Concern

Since DMVPN relies on IPSEC phase 1 and 2 you can certainly do certificate based authentication for IKE just as any other
IPSec method, follow the next guidelines for the configuration and make sure that the CRL is valid and reachable, or else no Spoke will be able to connect:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pki_feat_rmap_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Long story short, you will rely on CRL to allow or disallow any cert that has been revoked by your admin, again make sure the crl list is reachable.

761
Views
0
Helpful
1
Replies