Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1994
Views
5
Helpful
2
Replies

DMVPN - Certificate Authentication

jlizzio
Level 1
Level 1

‎11-28-2018 05:00 PM

Hi Everyone,

 

We are working on a phase 3 DMVPN and we are going to use certs issued from our own CA via a cisco router for authentication.

 

We’d like to be able to authenticate via the domain acme.local. So any host with acme.local that has a valid certificated issued by our cisco CA should pass (i.e. west.acme.local)

 

My question for everyone is what is needed under the isakmp profile for this to work? Snippets of our non working config below:

 

crypto isakmp profile AMCE-LOCAL-DMVPN

   ca trust-point ACME-LOCAL

   match identity host domain acme.local

 

If I add the match identity with FQDN to both sides it work, but that isn’t going to scale real well.  

 

Also I’m a little confused on the ipsec tunnel protection under the interface. Is the “shared” option needed since it’s an mGRE interface?  


Thanks,

 

-John

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎11-30-2018 02:12 PM

Hi,
Try using a certificate map and matching the domain name of the issuer and referencing that in the isakmp profile

crypto pki certificate map CERT_MAP 1
issuer-name co cn = acme.local

crypto isakmp profile ACME-LOCAL-DMVPN
match certificate CERT_MAP
identity local dn

The tunnel protection ipsec profile shared command is used to create a single IPsec SADB for all the tunnel interfaces that use the same profile and tunnel source interface. If you only have one tunnel then you do not need to use the shared keyword.

HTH

jlizzio
Level 1
Level 1
In response to Rob Ingram

‎12-14-2018 05:04 PM

Hi HTH,

 

Sorry I didn't reply sooner. I thought I had notifications turned on but apparently I didn't. 

 

So my original config did end up working, which is perfect as I only want to authenticate based on a single trust point. The weird thing is all I did to get it working was reboot the device.

 

Thanks for the explanation of the shared keyword at the end of the tunnel protection.

 

-John

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card