Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
5
Helpful
4
Replies

DMVPN spoke to spoke communication using Certificate based authentication.

PurpleNoc
Level 1
Level 1

‎12-19-2016 11:25 AM - edited ‎03-05-2019 07:42 AM

So running into an issue with my DMVPN deployment.

I have a 4 router lab setup with one hub and 3 spokes.  Hub is setup with nhrp shortcut and redirect.  This feature work flawlessly with simple isakmp using a psk.  

Spoke to Spoke communication establishes and they talk to each other without any issues.

So in the interest of better security I have been asked to deploy this setup using certificates for authentication.

Here is where the problem begins.  I can setup the hub as a ca all well and good.  The spokes get their setup as well.  All tunnels come and and my routing protocol establishes as expected, but when i try to icmp from router 2 to router 3 traffic doesn't move between the routers is hairpins all traffic to the hub.  I see two spoke try to bring up tunnels between themselves, but because i am using cert bases isakmp it is not completing.

Is this a drawback of using cert based dmvpn?

Hub Config

crypto pki trustpoint tp-dmvpn
enrollment url http://15.0.0.1:80
revocation-check none
rsakeypair dmvpn
!
crypto pki certificate chain dmvpn-ca
certificate ca 01
quit
certificate ca rollover 02
quit
crypto pki certificate chain tp-dmvpn
certificate 04
quit
certificate ca 01
quit
!
!
!
crypto isakmp policy 1
encr aes 192
group 2
!
crypto ipsec transform-set TRANSFORM_SET esp-aes 192 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN_CERT
set transform-set TRANSFORM_SET
!
!
interface Loopback0
description Loopback
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 777
no ip split-horizon eigrp 777
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 6783
tunnel protection ipsec profile DMVPN_CERT

Spoke Config

crypto pki trustpoint tp-dmvpn
enrollment url http://15.0.0.1:80
revocation-check none
rsakeypair dmpvn-cert
!
!
crypto pki certificate chain tp-dmvpn
certificate 03
quit
certificate ca 01
quit
!
!
crypto isakmp policy 2
encr aes 192
group 2
!
crypto ipsec transform-set TRANSFORM_SET esp-aes 192 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN_CERT
set transform-set TRANSFORM_SET
!
interface Loopback0
description Loopback
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 6783
tunnel protection ipsec profile DMVPN_CERT
!

Thanks Rob

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎12-19-2016 02:03 PM

Rob,

just for clarification: only ICMP traffic from router2 (spoke) to router3 (spoke) is not working ? ICMP from hub to spoke and all other traffic is working ?

Can you post the output of 'debug dmvpn all all' ?

0 Helpful

rob.ramos
Level 1
Level 1
In response to Georg Pauwen

‎12-20-2016 12:36 PM

All

Was able to figure things out.

The initial problem from spoke to spoke communication after a redirect from the Hub.  Because the two spokes could not authenticate the certs on their respective routers they could not establish a phase one.

So while traffic was not broken it hairpinned to the hub instead of creating a link between the two spokes. 

I fixed this by moving the CA off the HUB and off to an independent CA server and had each router request a cert from the CA.  This is allowing the spokes to authenticate with each other and exchange information directly instead of using that hub as a go between.

Rob

abushayeed.anwarali
Level 1
Level 1
In response to rob.ramos

‎07-07-2017 02:42 AM

Hi Rob,

We are trying to migrate our DMVPN fro PSK to Certificate based authentication. And we are having our own internal CA server. Could you please send me the steps and configuration template to migrate from PSK to Certificate .

1.) Steps to be performed in Microsoft CA server

2.) Steps to be performed in Hub router

3.) Steps to be performed in Spoke router

Thanks in Advance.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-20-2016 04:06 AM

Hello,

post complete configurations as attachment files and debug output in separate attachment files and add them to the thread.

You say that traffic is going spoke2 -to - hub - to -spoke3 and viceversa for a failure in setting up the dynamic tunnel between spoke2 and spoke3.

Can you add to the thread the logs from spoke2 and spoke3?

You need to provide more information in order to get better help.

DMVPN using certificates are supported so there is something wrong to be discovered.

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card