I'm labing this DMVPN setup, and even though I have set DH key exchange in the ipsec profile, my spoke to spoke sa comes up but without DH. My Hub to spoke sa is using DH but not the spoke to spoke one. Anyone else have this problem?
I'm using the same settings on all the routers so there really no reason why this should happen. Everything "works" there are no errors, not even in the ipsec/ikev2 debug, but I just don't get DH key exchange going. I also don't see any fundamental reason why this would be the case, when the spoke to spoke tunnel comes up, the spokes negotiate a tunnel so it should just work the same as when the hub-spoke tunnel is created.
This is just a lab, but I wouldn't put something like this into production, given the nature of DMVPN where the keys are on routers in all sorts of remote offices, it would be very easy for someone to steal one and get the keys, and decrypt all past traffic. Not to mention the administrative pain of rekeying everything.
No comments:
Post a Comment