cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

320
Views
0
Helpful
4
Replies
Beginner

Cisco IOS Router with certificates and IKEv2 for VPN

Hi experts, we have a requirement to setup an IPSec VPN tunnel. The requirements are:

1. The Certificates used are a "copy & paste" certificates from a CA. There is no CA available and reachable from either routers.

2. All certificates (Root, Intermediate and ID certificates) are successfully imported. 

3. The IKEv2 parameters are defined as IKEv2 Hash = SHA256, DH group = 20, IPSec protocol = ESP, IPSec hash = SHA256 & IPSec encryption = AES256.

4. We have defined 3 trust points, 1 each for each certificate that was successfully imported.

 

Now the question is we have searched the internet for some clues on how to configure the IKEv2 with certificates but we could not find any except this:

https://supportforums.cisco.com/t5/vpn/ikev2-with-certificates/td-p/2087717

 

According to the above link, there is a command:

crypto pki certificate map CRT 10
issuer-name co csfc

 

We do not hav the above commands and is it mandatory? We needed to be sure as we try to understand each command set before we configure this. Any help is appreciated! Thank you!

4 REPLIES 4
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Cisco IOS Router with certificates and IKEv2 for VPN

Hi Marcus,

I've done this many a time.

 

This post shows you how to enroll a Cisco IOS Router manually (terminal enrollment) and this post shows you how to configure FlexVPN (IKEv2) with certificate authentication (this should help with the query regarding the Cert Map).

 

If you don't have those commands, what license do you have on the router?

 

HTH

Beginner

Re: Cisco IOS Router with certificates and IKEv2 for VPN

Hi, thank you for your reply. We will give this a go and the cert map explanation definitely helped. Will update this post as we go along.
Highlighted
Beginner

Re: Cisco IOS Router with certificates and IKEv2 for VPN

Hi, just to confirm, for the certificates, we need the root certs on the local and remote router right?
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Cisco IOS Router with certificates and IKEv2 for VPN

Yes, the root certificate needs to be on the local and remote routers.