cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

314
Views
10
Helpful
2
Replies
Highlighted
Beginner

Pro and Cons of using crypto pki certificate map and without using

Dear All,

I would like to know Pro and Cons of  using crypto pki certificate map and without using.

Please help me.

Using crypto pki certificate map :

crypto isakmp policy 100
encr 3des
hash md5
group 2
exit

crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = AZT cn=radiuslocal-CA
exit

crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
exit

crypto isakmp profile DMVPN
ca trust-point radiuslocal.com
match certificate CERT-MAP-DMVPN
exit

crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
exit

without using certificate map:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication rsa-sig
group 2
exit
!

crypto ipsec transform-set TS1 esp-aes 256 esp-sha256-hmac
exit
!
crypto ipsec profile VPNPROF1
set transform-set TS1
exit

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Pro and Cons of using crypto pki certificate map and without using

Hi,
When you use the "match certificate CERT-MAP-DMVPN" command you are using the OU value of the certificate in order to identify the peer router. Any peer wishing to authenticate must therefore have a valid certificate with an "ou = AZT cn=radiuslocal-CA".

You don't necessarily need to use the certificate map in order identify peers for authentication, you could specify an IP address or an fqdn domain.  If you are using a certificate for authentication, it's simple to use a certificate map for peer identification as all routers issued with a certificate from the correct CA will match that certificate map.

HTH

2 REPLIES 2
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Pro and Cons of using crypto pki certificate map and without using

Hi,
When you use the "match certificate CERT-MAP-DMVPN" command you are using the OU value of the certificate in order to identify the peer router. Any peer wishing to authenticate must therefore have a valid certificate with an "ou = AZT cn=radiuslocal-CA".

You don't necessarily need to use the certificate map in order identify peers for authentication, you could specify an IP address or an fqdn domain.  If you are using a certificate for authentication, it's simple to use a certificate map for peer identification as all routers issued with a certificate from the correct CA will match that certificate map.

HTH

VIP Advisor

Re: Pro and Cons of using crypto pki certificate map and without using

 had an issue with cert authentication in conjunction with DMVPN a while ago, and I was told by TAC to revert to Pre shared keys.

 

I am not sure if this is an "official" cisco TAC piece of advise or not. I think practically using certs is somehwat more scalable , with the use of CRLs compared to PSKs, other than than that one is not much better than the other imho

Please remember to rate useful posts, by clicking on the stars below.