11-28-2018 05:00 PM
Hi Everyone,
We are working on a phase 3 DMVPN and we are going to use certs issued from our own CA via a cisco router for authentication.
We’d like to be able to authenticate via the domain acme.local. So any host with acme.local that has a valid certificated issued by our cisco CA should pass (i.e. west.acme.local)
My question for everyone is what is needed under the isakmp profile for this to work? Snippets of our non working config below:
crypto isakmp profile AMCE-LOCAL-DMVPN
ca trust-point ACME-LOCAL
match identity host domain acme.local
If I add the match identity with FQDN to both sides it work, but that isn’t going to scale real well.
Also I’m a little confused on the ipsec tunnel protection under the interface. Is the “shared” option needed since it’s an mGRE interface?
Thanks,
-John
11-30-2018 02:12 PM
12-14-2018 05:04 PM
Hi HTH,
Sorry I didn't reply sooner. I thought I had notifications turned on but apparently I didn't.
So my original config did end up working, which is perfect as I only want to authenticate based on a single trust point. The weird thing is all I did to get it working was reboot the device.
Thanks for the explanation of the shared keyword at the end of the tunnel protection.
-John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: