I'm working on a VPN hub-to-spoke design with 100s of spokes. Some of the sites will be very remote and it is not always possible in some countries to get an internet connection with a static IP address.
Please correct my assumptions if they are wrong:
If I was to use pre-shared keys I would have to use wildcard pre-shared keys which means that if one of the branch router configs was compromised, anybody could create a tunnel to my core site. So pre-shared keys is not practical.
So I am considering using digital certificates. I would enroll the router before deployment and then use auto-enrollment after that. The CA sever would be on the LAN behind the headend box.
I have two main questions:
1. If a hacker got physical access to a spoke vpn node, would it be possible for him to copy the certificate from our router to another router in order to create a new connection himself. ie can digital certs be copied from the cisco router? I am worried about having to use dynamic IPs. Are there any obvious security risks in this design?
2. I will be using small routers e.g. 1841 as the spokes. I understand they will need to use NTP to work with certificates. I am not sure that I will be able to get an NTP source at each spoke site. If I open up a port on the VPN router to get NTP directly from a public NTP server does this present a significant risk?
Thanks for any advice or answers. I will rate any useful comments.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :