Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1998
Views
0
Helpful
5
Replies

Create more secure self-signed certificates on IOS router?

Go to solution
ROBERT HOLMES
Level 1
Level 1

‎07-14-2016 07:26 AM - edited ‎03-10-2019 12:41 AM

I am running a 1921 router and use it partially as an AnyConnect (WebVPN) server for remote access into the location.  The certificate I used was a self-signed certificate & trustpoint generated on the router.  I am running the latest IOS track available to insure it has all the newest capabilities.

Doing a quick SSL check against it from Qualys, it appears to have many known vulnerabilities and weaknesses.

* Poodle TLS

* TLS 1.0 only

* SHA1

* Diffie-Hellman 1024 bit

* Some older ciphers that appear to be available (but I never specified), like TLS RC4_128_MD5

The crypto mechanism and commands to create the cert didn't give me much choice in the matter.

Is there a newer/better way to create a more secure certificate chain on an IOS router?  I couldn't find the instructions anywhere.

Robert

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎07-14-2016 11:58 PM

Have a look at my guide for doing Suite-B VPNs.  It creates much more secure certificates.  Note my comment about the minimum software version to use.

https://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

View solution in original post

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ROBERT HOLMES

‎07-15-2016 03:32 PM

No you don't.  It is only the certificate portion that is relevant to your question.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎07-14-2016 11:58 PM

Have a look at my guide for doing Suite-B VPNs.  It creates much more secure certificates.  Note my comment about the minimum software version to use.

https://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

0 Helpful

Go to solution
ROBERT HOLMES
Level 1
Level 1
In response to Philip D'Ath

‎07-15-2016 03:26 AM

Very interesting, thanks!

Do you require IKEv2 using this method?  I need the ability to do split-tunneling.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ROBERT HOLMES

‎07-15-2016 03:32 PM

No you don't.  It is only the certificate portion that is relevant to your question.

0 Helpful

Go to solution
ROBERT HOLMES
Level 1
Level 1
In response to Philip D'Ath

‎07-17-2016 08:45 AM

OK, trying this now and looking it over.  It seems to be way more involved that what I was expecting.  Isn't there a way to just have it use a reliable cert (AES-256, SHA256, etc) without having to create a unique cert for each client?  This will be used by a variety of clients that I don't want to pre-load a cert for, from iPhone's to PC's.

Thanks.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ROBERT HOLMES

‎07-17-2016 12:51 PM

If you only want a certificate for the router that is secure - then only generate a certificate for the router.  You don't need to generate certificates for users if they don't need them.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents