Hello all,
I am trying to connect a Teltonika router to a Cisco Router using DMVPN.
At the moment, the only way to do it is using pre-shared keys. Is there any way to use DMVPN with IKEV2/IPSec using certificate based authentication?
I managed to connect the Teltonika to Cisco using certificate based authentication, but using Crypto map, not DMVPN.
Kind regards,
Gabriel
Hello,
Thank you for your request. It’s currently under review, and we’ll share any findings, possible workarounds, or clarifications regarding this specific setup as soon as we have them.
In the meantime, could you please share your current setup topology, DMVPN, and IPsec configurations, with any sensitive information hidden?
Best regards,
Hello Martynas,
Thank you for your reply.
Here is my configuration.
Cisco Side
Crypto Config:
crypto ikev2 proposal VPN_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 19
crypto ikev2 policy VPN_POLICY
proposal VPN_PROPOSAL
crypto ikev2 profile TELTONIKA_PROFILE
match certificate TELTONIKA_CERT_MAP
identity local fqdn hub.LOTR.co.uk
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint starwars-CA
crypto ikev2 nat keepalive 10
crypto ipsec transform-set VPN_TRANSFORM_SET esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec profile TELTONIKA_IPSEC_PROFILE
set transform-set VPN_TRANSFORM_SET
set pfs group19
set ikev2-profile TELTONIKA_PROFILE
Interface Config:
interface Tunnel601
description TELTONIKA_DMVPN
ip address 192.168.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication hobbit
ip nhrp network-id 5
ip nhrp holdtime 300
no ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
bfd interval 1000 min_rx 1000 multiplier 5
tunnel source GigabitEthernet0/0/0.500
tunnel mode gre multipoint
tunnel key 6500
tunnel protection ipsec profile TELTONIKA_IPSEC_PROFILE
Router BGP
router bgp 64600
bgp router-id 192.168.10.1
bgp log-neighbor-changes
bgp redistribute-internal
network 10.10.10.0 mask 255.255.255.0
redistribute connected metric 20 route-map CONN2BGP
redistribute static metric 20 route-map STATIC2BGP
neighbor 10.10.10.15 remote-as 64600
neighbor 10.10.10.15 next-hop-self
neighbor 192.168.10.101 remote-as 64600
neighbor 192.168.10.101 next-hop-self
neighbor 192.168.10.102 remote-as 64600
neighbor 192.168.10.102 next-hop-self
neighbor 192.168.10.103 remote-as 64600
neighbor 192.168.10.103 next-hop-self
neighbor 192.168.10.104 remote-as 64600
neighbor 192.168.10.104 next-hop-self
Teltonika Side
DMVPN PARAMETERS CONFIGURATION
Enable – on
Working mode – spoke
Hub address – PUBLIC-IP
GRE PARAMETERS CONFIGURATION
Tunnel source – set to MOB1S1A1
Local GRE interface IP address – 192.168.10.102
Remote GRE interface IP address – set to 192.168.10.1
GRE MTU – set to 1400
Outbound key – 6500
Inbound key – 6500
IPSEC PARAMETERS CONFIGURATION
Leave local and remote identifier fields empty
Pres-shared key – THIS IS WHERE I CAN’T SELECT BETWEEN PRE-SHARED KEY and X509A Authentication
IPSEC PROPOSAL CONFIGURATION
PHASE 1 Encryption algorithm – set to AES 256
Authentication – set to SHA256
DH group – set to ECP256
Force crypto proposal – leave set to off
IKE lifetime – set to 8h
PHASE 2 Encryption algorithm – set to AES 256
Hash algorithm – set to SHA256
PFS group – set to ECP256
Force crypto proposal – leave set to off
Lifetime – set to 8h
NHRP PARAMETERS CONFIGURATION
NHRP network ID – set to 5
NHRP authentication key - hobbit
NHRP hold time – set to 300
Redirect – leave set to off
Hello,
After reviewing your configurations and clarifying the DMVP (RUT) over IPsec (Cisco) setup with the developer, I would like to confirm that DMVPN, as implemented on RUTOS, primarily relies on pre-shared keys for authentication. Currently, the DMVPN feature on RUT routers does not natively support X.509 certificate-based authentication. Therefore, to achieve this RUT – Cisco setup, you need to configure the tunnel connection directly through the IPSec settings (Services → VPN → IPsec), where you can select the required authentication type.
Kind regards,