Solved: Dual-Cloud DMVPN Spoke Router Configuration

jerecassidy · ‎07-14-2013

I have a decided to enact a dual-cloud DMVPN (1 headend in primary office, 1 headend in DR location) architecture with the option later to go to dual-hub in each of my headend locations.

I was trying to configure each of the clouds to have its own key.

hub 1 cloud 1:

crypto isakmp key KEY123 address 0.0.0.0 0.0.0.0 no-xauth

hub 1 cloud 2:

crypto isakmp key KEY456 address 0.0.0.0 0.0.0.0 no-xauth

Of course, the spokes that i wish to connect to both clouds would not allow me to use the same simple crypto isakmp key command twice.

Many of my sites will have 2 internet connections. Since I source a tunnel from each of these Internet connections, I came up with the following solution:

spoke 1:

crypto keyring X-RING

local-address Gig0/1 (interface of internet connection 1)

pre-shared key address 0.0.0.0 0.0.0.0 key 0 KEY123

crypto keyring Y-RING

local-address Gig0/2 (interface of internet connection 2)

pre-shared key address 0.0.0.0 0.0.0.0 key 0 KEY456

crypto isakmp profile DMVPN_ISAKMP_X

keyring X-RING

match identity address 0.0.0.0

local-address Gig0/1

crypto isakmp profile DMVPN_ISAKMP_Y

keyring Y-RING

match identity address 0.0.0.0

local-address Gig0/2

ok.... to the question... the first site I tried to connect to both DMVPN clouds only has 1 internet connection!

Without changing both my DMVPN clouds to the same key (almost all the examples have this) - how do i ensure that spoke-hub and spoke-spoke tunnels work?

Is there something else I can match? or create on each of the spoke and hub configs?

I tried:

- match identity group <group>, but couldnt figure out how to set a group name on each of the spokes - or the hub for that matter. Also, wouldnt no-xauth prevent this from being examined?

- match fqdn doesnt seem to work either.

- vrf is not an option - not applicable
- loopbacks behind the internet ip address don;t seem to be an option and would seem to complicate the issue too much.

Thanks much in advance!

Andrew Phirsov · ‎07-15-2013

There's no something special with PKI when regarding to DMVPN. PKI or pre-shared keys it's just how isakmp authenticates the session, and there's no difference between DMVPN or Site-to-Site.

Basically, you'd have to do this things:

- create CA. The basic one may be set up on some of your routers.

-create the Trustpoint on each DMVPN hub and spokes.

-change type of authentication in isakmp profile from pre-share to rsa-sig.

Surely you may have more then one trustpoint, one for each cloud, but i highly doubt that with PKI it's needed.

Maybe this doc will be of some help, although it has too much info:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html

If you need, i may bring up some complete example for site-to-site with PKI auth.

View solution in original post

Andrew Phirsov · ‎07-14-2013

Surely the best thing here is to use certificates, so it'll eliminate all this questions. Is it gonna be phase 2/3 DMVPN? In phase 1 you can easily put VPN-hub IP address/key in the global keyring. To your config, and if you're planning to have phase 2 or 3, I can't think of easy way to accomplish this. You only have an option to match IP addresses in your ISAKMP profiles as peer identity, when using pre-shared keys for authentication. So again - if it's phase 1 - no problem. Just put exact ip addresses of the hubs to the crypto isakmp key ..... command. If it's phase 2 or 3 - use PKI.

jerecassidy · ‎07-15-2013

it is phase 2 and I plan on moving to phase 3. That is why the 0.0.0.0 match is required.

I've seen some PKI config information, but have trouble finding anything current -- and especially something that shows PKI integration with DMVPN. Do you know of any good document?

Until PKI is ready, To solve the above problem, I think I will just use a manual failover between tunnels for this site that only has 1 internet conection - and order a second Internet connection for redundancy.

Andrew Phirsov · ‎07-15-2013