Thank you for your time and efforts in assisting me!
You're asking quite a few good questions, and I'll do my best to answer them for you. At the end of the day, I'm really looking forward to a successful deployment of PKI via VPN. At this time, I deploy spokes to clients and have them authenticate over PSK. I'd like for my team to move towards a more standardized deployment. Something that's easier to manage, maintain, and update if needed.
Also, I'd be more than happy to take a book recommendation. I have a lot to learn in terms of cryptography and best practices. That's why I'm here right now, trying to find a best practice / instructions on PKI DMVPN deployment.
"Is this a test setup? "
Yes. I have this configured on 3 test Cisco 881s and also inside of GNS3.
"Are you planning to put whatever you test in production?"
In concept, yes.
The actual devices I'm testing on, no.
Once I've learned all the basic "in and out" of PKI, I plan to review and work with my engineers to have it deployed in our environment.
Are there any other resources available (MS server?)?
Yes. We have an active CA that we would like to use. That way, we don't need to configure it on a public facing router. I haven't looked into this setup yet, as I've not been successful in deploying it on a router as per Ciscos documentation.
What are the versions of software we're dealing with?
Currently, Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(1)T1, RELEASE SOFTWARE (fc2) on the 881s.
Cisco IOS Software, 3600 Software (C3660-JK9O3S-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3) inside my GNS3 Lab.
What features are you looking to implement (suiteB?)?
As for suiteB, I would love to get us moving in this direction. Our current configs don't match the suggested standard, but I would like to push for it.
What as the PKI hierarchy you were thinking about?
At the end of the day, I would be looking to have a CA deployed inside my secure network, and handle requests from two subordinate routers that are WAN facing. These two routers will auto enroll and renew their certificates with the CA. As for my spokes, I'm not sure if I want that feature enabled as it could pose as a security risk.
Are you planning to use IKEv1 or IKEv2.
We would be using IKEv1 for now. In time, we would plan to go to IKEv2, but I'd like to get a successful deployment on PKI before I review the value in the migration.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :