Solved: Marcin,Thank you for your

Nathan Mellendorf · ‎03-13-2014

Hello Everyone!

I'm currently reviewing DMVPN as it's a new topic to me. With that, I've been successful in configuring them via PSK.

That personal goal being satisfied, I kept reviewing and found that PKI can be used as my authentication method. PKI seems like a much easier and secure method to deploy these for my company.

My question: Is there good documentation on how to configure PKI in relation to DMVPN? I've found articals from Cisco and others around the web, but I've had no luck configuring it successfully.

Could you point me in the right direction?

I keep finding little bits of documentation here and there, but nothing that coveres the process as a whole.

(My setup: 3 Cisco 881 IPSEC-K9 routers)

Thanks in advance for your efforts on this. It's much appreciated!

Marcin Latosiewicz · ‎03-16-2014

Sorry I wrote a big reply, which was rejected by support forums ... thank you, new interface. It was not saved as draft, so I'm going to write it short. Plan today as though your working for something tomorrow. PKI deployments have a tendency to live a couple of years. Having possibility to support IKEv2 and suiteB (at least parts) in future will save you problems later on. You will need however 15.2(4)M and on. MS CA is a very good choice, go with it, provide redundancy for storage of keys and certs. IOS CA can act as RA or subCA, go for subCA if you want to provide redundancy and have a bigger scale deployment, RA if you want simplicity with some redundancy. Divide et impere, you have lots of subtasks to configure but it all boils down to: - Plan what feature,key usages etc you want. - Setup CA(s) to fulfill those and your system requirements. - Setup subCAs/RAs accordingly. - Test enrollment and authentication. - Test IKE. (change authentication method). Easier said then done, I know. Some links https://www.isrcomputing.com/ccie-security-vpn-study-guide-dmvpn-with-rsa-signature-authentication/ http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/27860-ios-enhanced-enrollment.html irreplaceable config guide: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cfg-mng-cert-serv.html

View solution in original post

Marcin Latosiewicz · ‎03-14-2014

I guess the question you were asking google was vague, similar to what you're asking in this post.

Nothing wrong about that, but it makes it harder to answer :-)

It's equivalent to "I would like to buy a vehicle".

We can point you to some excellent cars or bikes, but maybe what you need is a trike :-)

So what are we talking about?

Is this a test setup?

Are you planning to put whatever you test in production?

Are there any other resources available (MS server?)?

What are the versions of software we're dealing with?

What features are you looking to implement (suiteB?)?

What as the PKI hierarchy you were thinking about?

Are you planning to use IKEv1 or IKEv2.

(shameless plugs)

That being said, basic IOS enrollment and CA config

https://supportforums.cisco.com/document/57441/ios-ca-basic-deployment-certificate-enrollment-and-signing-process

Snapshot of configuration used for IKEv2

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html#anc8

Once you have everything enrolled you can start thinking of switching to RSA instead of PSK.

Nathan Mellendorf · ‎03-14-2014

Marcin,

Thank you for your time and efforts in assisting me!

You're asking quite a few good questions, and I'll do my best to answer them for you. At the end of the day, I'm really looking forward to a successful deployment of PKI via VPN. At this time, I deploy spokes to clients and have them authenticate over PSK. I'd like for my team to move towards a more standardized deployment. Something that's easier to manage, maintain, and update if needed.

Also, I'd be more than happy to take a book recommendation. I have a lot to learn in terms of cryptography and best practices. That's why I'm here right now, trying to find a best practice / instructions on PKI DMVPN deployment.

"Is this a test setup? "

Yes. I have this configured on 3 test Cisco 881s and also inside of GNS3.

"Are you planning to put whatever you test in production?"

In concept, yes.

The actual devices I'm testing on, no.

Once I've learned all the basic "in and out" of PKI, I plan to review and work with my engineers to have it deployed in our environment.

Are there any other resources available (MS server?)?

Yes. We have an active CA that we would like to use. That way, we don't need to configure it on a public facing router. I haven't looked into this setup yet, as I've not been successful in deploying it on a router as per Ciscos documentation.

What are the versions of software we're dealing with?

Currently, Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(1)T1, RELEASE SOFTWARE (fc2) on the 881s.

Cisco IOS Software, 3600 Software (C3660-JK9O3S-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3) inside my GNS3 Lab.

What features are you looking to implement (suiteB?)?

As for suiteB, I would love to get us moving in this direction. Our current configs don't match the suggested standard, but I would like to push for it.

What as the PKI hierarchy you were thinking about?

At the end of the day, I would be looking to have a CA deployed inside my secure network, and handle requests from two subordinate routers that are WAN facing. These two routers will auto enroll and renew their certificates with the CA. As for my spokes, I'm not sure if I want that feature enabled as it could pose as a security risk.

Are you planning to use IKEv1 or IKEv2.

We would be using IKEv1 for now. In time, we would plan to go to IKEv2, but I'd like to get a successful deployment on PKI before I review the value in the migration.

Marcin Latosiewicz · ‎03-16-2014

Sorry I wrote a big reply, which was rejected by support forums ... thank you, new interface. It was not saved as draft, so I'm going to write it short. Plan today as though your working for something tomorrow. PKI deployments have a tendency to live a couple of years. Having possibility to support IKEv2 and suiteB (at least parts) in future will save you problems later on. You will need however 15.2(4)M and on. MS CA is a very good choice, go with it, provide redundancy for storage of keys and certs. IOS CA can act as RA or subCA, go for subCA if you want to provide redundancy and have a bigger scale deployment, RA if you want simplicity with some redundancy. Divide et impere, you have lots of subtasks to configure but it all boils down to: - Plan what feature,key usages etc you want. - Setup CA(s) to fulfill those and your system requirements. - Setup subCAs/RAs accordingly. - Test enrollment and authentication. - Test IKE. (change authentication method). Easier said then done, I know. Some links https://www.isrcomputing.com/ccie-security-vpn-study-guide-dmvpn-with-rsa-signature-authentication/ http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/27860-ios-enhanced-enrollment.html irreplaceable config guide: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cfg-mng-cert-serv.html