07-14-2016 07:26 AM - edited 03-10-2019 12:41 AM
I am running a 1921 router and use it partially as an AnyConnect (WebVPN) server for remote access into the location. The certificate I used was a self-signed certificate & trustpoint generated on the router. I am running the latest IOS track available to insure it has all the newest capabilities.
Doing a quick SSL check against it from Qualys, it appears to have many known vulnerabilities and weaknesses.
* Poodle TLS
* TLS 1.0 only
* SHA1
* Diffie-Hellman 1024 bit
* Some older ciphers that appear to be available (but I never specified), like TLS RC4_128_MD5
The crypto mechanism and commands to create the cert didn't give me much choice in the matter.
Is there a newer/better way to create a more secure certificate chain on an IOS router? I couldn't find the instructions anywhere.
Robert
Solved! Go to Solution.
07-14-2016 11:58 PM
Have a look at my guide for doing Suite-B VPNs. It creates much more secure certificates. Note my comment about the minimum software version to use.
https://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html
07-15-2016 03:32 PM
No you don't. It is only the certificate portion that is relevant to your question.
07-14-2016 11:58 PM
Have a look at my guide for doing Suite-B VPNs. It creates much more secure certificates. Note my comment about the minimum software version to use.
https://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html
07-15-2016 03:26 AM
Very interesting, thanks!
Do you require IKEv2 using this method? I need the ability to do split-tunneling.
07-15-2016 03:32 PM
No you don't. It is only the certificate portion that is relevant to your question.
07-17-2016 08:45 AM
OK, trying this now and looking it over. It seems to be way more involved that what I was expecting. Isn't there a way to just have it use a reliable cert (AES-256, SHA256, etc) without having to create a unique cert for each client? This will be used by a variety of clients that I don't want to pre-load a cert for, from iPhone's to PC's.
Thanks.
07-17-2016 12:51 PM
If you only want a certificate for the router that is secure - then only generate a certificate for the router. You don't need to generate certificates for users if they don't need them.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: