Re: DMVPN - Certificate Authentication

jlizzio · ‎11-28-2018

Hi Everyone,

We are working on a phase 3 DMVPN and we are going to use certs issued from our own CA via a cisco router for authentication.

We’d like to be able to authenticate via the domain acme.local. So any host with acme.local that has a valid certificated issued by our cisco CA should pass (i.e. west.acme.local)

My question for everyone is what is needed under the isakmp profile for this to work? Snippets of our non working config below:

crypto isakmp profile AMCE-LOCAL-DMVPN

ca trust-point ACME-LOCAL

match identity host domain acme.local

If I add the match identity with FQDN to both sides it work, but that isn’t going to scale real well.

Also I’m a little confused on the ipsec tunnel protection under the interface. Is the “shared” option needed since it’s an mGRE interface?

Thanks,

-John

Rob Ingram · ‎11-30-2018

Hi,
Try using a certificate map and matching the domain name of the issuer and referencing that in the isakmp profile

crypto pki certificate map CERT_MAP 1
issuer-name co cn = acme.local

crypto isakmp profile ACME-LOCAL-DMVPN
match certificate CERT_MAP
identity local dn

The tunnel protection ipsec profile shared command is used to create a single IPsec SADB for all the tunnel interfaces that use the same profile and tunnel source interface. If you only have one tunnel then you do not need to use the shared keyword.

HTH

jlizzio · ‎12-14-2018

Hi HTH,

Sorry I didn't reply sooner. I thought I had notifications turned on but apparently I didn't.

So my original config did end up working, which is perfect as I only want to authenticate based on a single trust point. The weird thing is all I did to get it working was reboot the device.

Thanks for the explanation of the shared keyword at the end of the tunnel protection.

-John