Here's something I setup in my desktop "lab" using DYNAMIPS. I created two DMVPN hubs also acting as a EZVPN server with Stateful Failover. Since both DMVPN and EZVPN configuration is using 0.0.0.0 address to map to the pre-shared key, a ISAKMP Profile is configured to differentiate the DMVPN spokes and the EZVPN clients.
Previously, if your router talk to a combination of remote spokes and vpn client (software or ezvpn remote) that have dynamic ip addresses, your only option is to use certificates for your IKE authentication. If you use pre-shared keys, you cannot distinguish which IKE peers should have extended authentication and which one should not use it. Well that was before ISAKMP Profile was available. ISAKMP Profile should be used for any router with two or more IPSec connections that requires different phase 1 parameters for different sites (for example, configuring site-to-site and remote access on the same router). You can configure to authenticate one peer using certificates while another peer is authenticated using pre-shared keys.
Here are the configs.
Hub1 Configuration
Hub2 Configuration
EZVPN Remote Client Configuration
DMVPN Spoke1 Configuration
DMVPN Spoke2 Configuration
Previously, if your router talk to a combination of remote spokes and vpn client (software or ezvpn remote) that have dynamic ip addresses, your only option is to use certificates for your IKE authentication. If you use pre-shared keys, you cannot distinguish which IKE peers should have extended authentication and which one should not use it. Well that was before ISAKMP Profile was available. ISAKMP Profile should be used for any router with two or more IPSec connections that requires different phase 1 parameters for different sites (for example, configuring site-to-site and remote access on the same router). You can configure to authenticate one peer using certificates while another peer is authenticated using pre-shared keys.
Here are the configs.
Hub1 Configuration
Hub2 Configuration
EZVPN Remote Client Configuration
DMVPN Spoke1 Configuration
DMVPN Spoke2 Configuration
You can refer to Cisco's Deployment Guide for more detailed info.
No comments:
Post a Comment