Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Securing DMVPN

Hello

I have two questions regarding DMVPN.

Question 1) How secure is the access list applied to "outside" interface of a router doing DMVPN?

I am using the following document as an example (GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall) : http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

The access list applied to the "outside" interface is

access-list 100 permit udp any host 14.x.x.1 eq 500

access-list 100 permit esp any host 14.x.x.1

access-list 100 permit gre any host 14.x.x.1

access-list 100 permit udp any host 14.x.x.1 eq 4500

ESP, UDP port 500 and UDP port 4500 are part of IPSec, a protocol designed to be as secure as possible. I can accept this traffic as secure enough.

Allowing GRE from Internet looks like a bad idea - GRE was not designed to be secure, and the tunnel key is not a serious protection.

Please comment on allowing GRE traffic from Internet. Any ways to go around this requirement (maybe using a firewall in front of the router)?

Question 2) I will have a number of spoke DMVPN sites using dynamically assigned IP addresses (routers installed behind non-Cisco cable or DSL modems). I don't know the IP address associated with the "outside" interface of the spoke routers, I cannot apply an access list similar with what I have in Question 1 (the "host 14.x.x.1" part is unknown).

What choices are available (except permit ESP, UDP port 500/4500 and GRE any to any)?

Thank you,

Cristian

1 REPLY

Re: Securing DMVPN

Hi Cristian,

Q1) The command "tunnel protection ipsec profile dmvpnprof" will ensure only ipsec-protected traffic GRE will be accepted. So the ACL is ok.

You can further restrict the ACL to known spokes (host xxx host 14.24.117.1)if all the spokes have static IP

Q2) This indeed will require to permit "any any" on the ports, but again, i think this is not a big security issue, since GRE will be discarded if not ipsec-protected.

Please rate if this helped.

Regards,

Daniel

355
Views
8
Helpful
1
Replies
CreatePlease to create content