Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

getting started with dmvpn

I am getting started with dmvpn. all my spokes will connect via the internet. from a design standpoint is it perfered to have the hub as the ca or have a standalone box as the ca (ms)? If there is a standalone box then it will need to accessible from the internet so the spoke routers can get the cert to complete phase 1 of the vpn.  which is the same for the hub router if it is to perform ca duties.

thanks,

Steve

Everyone's tags (3)
11 REPLIES
VIP Purple

Re: getting started with dmvpn

It's best to have a dedicated CA which is not directly connected to the internet. If you have, take an older router that has no other functionality any more. Even a 2600-XM will work fine as a CA. Of course you can also use a MS-CA. If that is not possible, you can implement the CA on the Hub.

The spokes don't need to reach the CA for VPN-establishment. They only need to rech the CA while their certificates are enrolled. If you want to check the CRLs from the spokes, then the CRL-server has to be reachable from the internet. By default the CRLs are stored on the CA, but you can also use a "normal" webserver for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

getting started with dmvpn

since this will be a dual hub deployment and there will be spoke to spoke communcation, is there any insight you may offer from your experience with this type of dmvpn deployment?

As it stands now, from what i've read or over read, lol. I will have the hubs handle the ca and crl roles.

Community Member

Re: getting started with dmvpn

an addtional question that comes up is security of dmvpn network if a device wanders to someones home or finds its way to ebay. the unsuspecting person plugs the router in and powers up the device, whola it is connected to my network.

once I am informed of a missing device how can I revoke this devices cert or are there other ideas on how to handle this?

VIP Purple

Re: getting started with dmvpn

That's exactly the reason for using certificates and not wildcard-PSKs. You can revoke the certificate and the hub has to check the validity of the cert and the spoke is banned from the network. Of course you have to be aware of your missing router ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

VIP Purple

Re: getting started with dmvpn

With dual hubs it's better to have two independent DMVPNs. One to Hub1, one to Hub2.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

getting started with dmvpn

I'd hate to waste a two routers for a CA role if I have ACS deployed. Any idea if i can use ACS as the CA?

VIP Purple

getting started with dmvpn

No, thats not possible. The ACS has no CA-functionality.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

getting started with dmvpn

i got the CA spilt out and spokes can complete phase1. pretty sweet setup. so now i'm looking at having the tunnel interfaces use dhcp. I found a supporting documnet and configuration setting however the spoke isn't getting an ip addy from the dhcp server.  typically a ip helper-address command is specificed but in the cisco doc it was not required per the example.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-dhcp-tunnels.html

spoke

ip address dhcp

ip dhcp client broadcast-flag clear

hub

ip dhcp support tunnel unicast

any ideas, thanks!

VIP Purple

getting started with dmvpn

I don't have experience with that feature, but why do you want to use that? Do you have so many spokes that it wouldn't scale without? I always set the Tunnel IP based on branch-numbers.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

getting started with dmvpn

It would easy our deployment process. Currently 400 sites use dmvpn. 360 are used as back up, the rest use it as the sole connection to corporate resources, we've forcasted addtional an a average of 20 sites a year to use dmvpn.

Community Member

getting started with dmvpn

it appears that the hub could sit behind ASA firewall with GRE and other ISAKMP/IPSec ports open and nat'd correctly.

Any known issues with hub placemnet behind the ASA?

603
Views
0
Helpful
11
Replies
CreatePlease to create content