Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

IPSEC PKI

Hi everybody,

I'm working on a VPN hub-to-spoke design with 100s of spokes. Some of the sites will be very remote and it is not always possible in some countries to get an internet connection with a static IP address.

Please correct my assumptions if they are wrong:

If I was to use pre-shared keys I would have to use wildcard pre-shared keys which means that if one of the branch router configs was compromised, anybody could create a tunnel to my core site. So pre-shared keys is not practical.

So I am considering using digital certificates. I would enroll the router before deployment and then use auto-enrollment after that. The CA sever would be on the LAN behind the headend box.

I have two main questions:

1. If a hacker got physical access to a spoke vpn node, would it be possible for him to copy the certificate from our router to another router in order to create a new connection himself. ie can digital certs be copied from the cisco router? I am worried about having to use dynamic IPs. Are there any obvious security risks in this design?

2. I will be using small routers e.g. 1841 as the spokes. I understand they will need to use NTP to work with certificates. I am not sure that I will be able to get an NTP source at each spoke site. If I open up a port on the VPN router to get NTP directly from a public NTP server does this present a significant risk?

Thanks for any advice or answers. I will rate any useful comments.

Thanks

Mike

1 REPLY
Silver

Re: IPSEC PKI

1063
Views
3
Helpful
1
Replies
CreatePlease to create content