Example 6-18 illustrates how to migrate a spoke router that has a DMVPN tunnel to the hub (using a preshared key) to a DMVPM tunnel that uses digital certificates for authen- tication. Table 6-4 lists the devices used for this example.
Table 6-4 Devices for Illustrating Migration of Spoke Router
Description Device Name
Spoke 1 r35-1-1020
Headend s-dmvpn-headend
Sub-ca1 ra-subca
ptg
Chapter 6: Integration in Large-Scale Site-to-Site VPN Solutions 131
crypto keyring giraffe
pre-shared-key address 192.168.159.242 key CISCO !
crypto isakmp policy 1 encr 3des
hash md5
authentication pre-share group 2
crypto isakmp profile r35-profile keyring giraffe
match identity host domain cisco.com
match identity address 192.168.159.242 255.255.255.255 !
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac mode transport
!
crypto ipsec profile ESE_DMVPN set transform-set 3DES_MD5 set isakmp-profile r35-profile ! interface Tunnel10 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPNGET ip nhrp map multicast dynamic ip nhrp map 10.0.0.4 192.168.159.242 ip nhrp map multicast 192.168.159.242 ip nhrp network-id 1234 ip nhrp holdtime 90 ip nhrp nhs 10.0.0.4 ip nhrp registration timeout 30 ip nhrp shortcut
ip ospf network broadcast tunnel source 192.168.134.146 tunnel mode gre multipoint tunnel key 1234
tunnel protection ipsec profile ESE_DMVPN
The s-dmvpn-headend configuration has two ISAKMP policies: The first is used to match the spokes with preshared keys, and the second is used to match the digital certificates. By having both policies, the dmvpn-headend can establish tunnels with spokes having
ptg
either preshared keys or digital certificates. This policy is used until all the spokes are migrated to digital certificates. When the migration finishes, the dmvpn-headend can have only the ISAKMP policy, as shown in Example 6-17.
Note The ISAKMP profile provides a template for matching identities. In Example 6-19, the ISAKMP profile matches either domain name or preshared secret.
Example 6-19 Illustration of the Relevant DMVPN Hub Configuration
crypto keyring zebra
pre-shared-key address 192.168.187.190 key CISCO pre-shared-key address 192.168.187.194 key CISCO pre-shared-key address 192.168.134.146 key CISCO !
crypto isakmp policy 1 ! The first policy is meant for pre-shared authentication. encr 3des
hash md5
authentication pre-share group 2
!
crypto isakmp policy 2 ! The second policy for rsa-signature authentication encr 3des
hash md5 group 2 !
crypto keyring giraffe
pre-shared-key address 192.168.159.242 key CISCO !
crypto isakmp profile dmvpn-profile
! The isakmp profile will match either pre-shared key or keyring zebra configured on the hub.
keyring giraffe
match identity host domain cisco.com
match identity address 192.168.134.146 255.255.255.255 !
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac mode transport
!
crypto ipsec profile ESE_DMVPN set transform-set 3DES_MD5 set isakmp-profile dmvpn-profile
ptg
Chapter 6: Integration in Large-Scale Site-to-Site VPN Solutions 133
With the preceding configuration of the hub router, the spoke can establish the DMVPN tunnel with the hub router. The show commands verify the following:
■ The DMVPN tunnel is up.
■ The tunnel uses preshared key for authentication.
Example 6-20 Verifying the DMVPN Status
r35-1-1020# show crypto isakmp sa IPv4 Crypto ISAKMP SA
dst src state conn-id slot status 192.168.159.242 192.168.134.146 QM_IDLE 4001 0 ACTIVE r35-1-1020# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
4001 192.168.134.146 192.168.159.242 ACTIVE 3des md5 psk 2 23:51:08 Engine-id:Conn-id = AIM-VPN/EPII-PLUS:1
IPv6 Crypto ISAKMP SA r35-1-1020#
The following steps illustrate the process of migrating from the preshared key implemen- tation to a certificate-based authentication environment.
Step 1. As shown in previous examples, configure the spoke to obtain a certificate by enrolling with a subordinate CA server. To accomplish this task, r35-1-1020 should enroll with ra-subca.
Example 6-21 Configuring the Trust Point on the spoke r35-1-1020
crypto pki trustpoint ra
enrollment url http://192.168.159.243:12345 serial-number
ip-address 192.168.134.146 revocation-check none
ptg
rsakeypair ra
auto-enroll 80 regenerate !
Step 2. Change the ISAKMP policy on the spoke to use RSA signatures.
Example 6-22 Configuring ISAKMP Policy on the Spoke
crypto isakmp policy 1 encr 3des
hash md5 group 2
Step 3. Flap the tunnel so that the DMVPM tunnel tries to establish with the new authentication method, which is digital signatures.
Example 6-23 Flapping the Tunnel
r35-1-1020(config)# interface tunnel 1 shut
no shut
Step 4. Verify that the DMVPN tunnel is established and also if it has used digital signatures for authentication.
Example 6-24 Verifying the DMVPN Tunnel
r35-1-1020# show crypto isakmp sa IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.159.242 192.168.134.146 QM_IDLE 4003 0 ACTIVE r35-profile IPv6 Crypto ISAKMP SA
r35-1-1020# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
ptg
Chapter 6: Integration in Large-Scale Site-to-Site VPN Solutions 135
4003 192.168.134.146 192.168.159.242 ACTIVE 3des md5 rsig 2 23:53:33 Engine-id:Conn-id = AIM-VPN/EPII-PLUS:3
IPv6 Crypto ISAKMP SA r35-1-1020#
The spoke has successfully established a DMVPN tunnel to the headend router using dig- ital certificates.