Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual-Cloud DMVPN Spoke Router Configuration

I have a decided to enact a dual-cloud DMVPN (1 headend in primary office, 1 headend in DR location) architecture with the option later to go to dual-hub in each of my headend locations.

I was trying to configure each of the clouds to have its own key.

hub 1 cloud 1: 

crypto isakmp key KEY123  address 0.0.0.0 0.0.0.0 no-xauth

hub 1 cloud 2:

crypto isakmp key KEY456 address 0.0.0.0 0.0.0.0 no-xauth

Of course, the spokes that i wish to connect to both clouds would not allow me to use the same simple crypto isakmp key command twice.

Many of my sites will have 2 internet connections.  Since I source a tunnel from each of these Internet connections, I came up with the following solution:

spoke 1:

crypto keyring X-RING

local-address Gig0/1 (interface of internet connection 1)

pre-shared key address 0.0.0.0 0.0.0.0 key 0 KEY123

crypto keyring Y-RING

local-address Gig0/2 (interface of internet connection 2)

pre-shared key address 0.0.0.0 0.0.0.0 key 0 KEY456

crypto isakmp profile DMVPN_ISAKMP_X

   keyring X-RING

   match identity address 0.0.0.0

   local-address Gig0/1

crypto isakmp profile DMVPN_ISAKMP_Y

   keyring Y-RING

   match identity address 0.0.0.0

   local-address Gig0/2

ok.... to the question... the first site I tried to connect to both DMVPN clouds only has 1 internet connection! 

Without changing both my DMVPN clouds to the same key (almost all the examples have this) - how do i ensure that spoke-hub and spoke-spoke tunnels work?

Is there something else I can match? or create on each of the spoke and hub configs?

I tried:

- match identity group <group>, but couldnt figure out how to set a group name on each of the spokes - or the hub for that matter.  Also, wouldnt no-xauth prevent this from being examined?

- match fqdn doesnt seem to work either.

- vrf is not an option - not applicable
- loopbacks behind the internet ip address don;t seem to be an option and would seem to complicate the issue too much.

Thanks much in advance!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Dual-Cloud DMVPN Spoke Router Configuration

There's no something special with PKI when regarding to DMVPN. PKI or pre-shared keys it's just how isakmp authenticates the session, and there's no difference between DMVPN or Site-to-Site.

Basically, you'd have to do this things:

- create CA. The basic one may be set up on some of your routers.

-create the Trustpoint on each DMVPN hub and spokes.

-change type of authentication in isakmp profile from pre-share to rsa-sig.

Surely you may have more then one trustpoint, one for each cloud, but i highly doubt that with PKI it's needed.

Maybe this doc will be of some help, although it has too much info:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html

If you need, i may bring up some complete example for site-to-site with PKI auth.

4 REPLIES

Dual-Cloud DMVPN Spoke Router Configuration

Surely the best thing here is to use certificates, so it'll eliminate all this questions. Is it gonna be phase 2/3 DMVPN? In phase 1 you can easily put VPN-hub  IP address/key in the global keyring. To your config, and if you're planning to have phase 2 or 3, I can't think of easy way to accomplish this. You only have an option to match IP addresses in your ISAKMP profiles as peer identity, when using pre-shared keys for authentication. So again - if it's phase 1 - no problem. Just put exact ip addresses of the hubs to the crypto isakmp key ..... command. If it's phase 2 or 3 - use PKI.

New Member

Dual-Cloud DMVPN Spoke Router Configuration

it is phase 2 and I plan on moving to phase 3. That is why the 0.0.0.0 match is required.

I've seen some PKI config information, but have trouble finding anything current -- and especially something that shows PKI integration with DMVPN.  Do you know of any good document?

Until PKI is ready, To solve the above problem, I think I will just use a manual failover between tunnels for this site that only has 1 internet conection - and order a second Internet connection for redundancy.  

Re: Dual-Cloud DMVPN Spoke Router Configuration

There's no something special with PKI when regarding to DMVPN. PKI or pre-shared keys it's just how isakmp authenticates the session, and there's no difference between DMVPN or Site-to-Site.

Basically, you'd have to do this things:

- create CA. The basic one may be set up on some of your routers.

-create the Trustpoint on each DMVPN hub and spokes.

-change type of authentication in isakmp profile from pre-share to rsa-sig.

Surely you may have more then one trustpoint, one for each cloud, but i highly doubt that with PKI it's needed.

Maybe this doc will be of some help, although it has too much info:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html

If you need, i may bring up some complete example for site-to-site with PKI auth.

Re: Dual-Cloud DMVPN Spoke Router Configuration

- match fqdn doesnt seem to work either.

I forgot. For this to work, you should enable aggressive mode for isakmp. It's done under isakmp profile configuration, using initiate mode aggressive command.

900
Views
0
Helpful
4
Replies
CreatePlease login to create content