Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

DMVPN using different authentication modes

I have a complete Cisco DMVPN phase II wan setup with several spokes.

I don't have administrative management over several spokes and the spokes I do manage, I have to upgrade the authentication from pre-shared keys to PKI. The DMVPN Hub will become the CA.

The routers that I don't manage, the management of these routers do not want to upgrade to PKI authentication at this point - And this is a layer 8 issue.

Never-the-less, I must move forward.

In order to suport the new DMVPN WAN setup, Is this where the crypto keyring technology comes into the picture?

And could anyone provide a simple example of crypto keyring with authenticated pre-shared and PKI peers?

Thanks again


Cisco Employee

Re: DMVPN using different authentication modes

Hi, Frank:

Actually for what you are trying to do here, you really don't need to use crypto keyring, which is typically used together with isakmp profiles. To migrate some of your dmvpn spokes to use certificates while leave the rest of them to still use PSK, it's surprisingly simple to do. All you have to do is:

1. Enroll the spokes that are going to do certificate authentication with the CA to get the id certs

2. Enroll the hub with the CA to get its id cert

2. Remove the isakmp policy that has pre-shared keys from spokes using certificates

and that's it! There is a default isakmp policy that supports certificates (rsa-sig) in IOS, and that's the policy the spokes with certificate authentication will use. With the pre-shared key isakmp policy still in place on the hub, it should be able to authenticate both types of spokes.



CreatePlease to create content