09-30-2018 07:09 AM
Dear All,
I would like to know Pro and Cons of using crypto pki certificate map and without using.
Please help me.
Using crypto pki certificate map :
crypto isakmp policy 100
encr 3des
hash md5
group 2
exit
crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = AZT cn=radiuslocal-CA
exit
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
exit
crypto isakmp profile DMVPN
ca trust-point radiuslocal.com
match certificate CERT-MAP-DMVPN
exit
crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
exit
without using certificate map:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication rsa-sig
group 2
exit
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha256-hmac
exit
!
crypto ipsec profile VPNPROF1
set transform-set TS1
exit
Solved! Go to Solution.
09-30-2018 11:56 AM - edited 09-30-2018 12:04 PM
Hi,
When you use the "match certificate CERT-MAP-DMVPN" command you are using the OU value of the certificate in order to identify the peer router. Any peer wishing to authenticate must therefore have a valid certificate with an "ou = AZT cn=radiuslocal-CA".
You don't necessarily need to use the certificate map in order identify peers for authentication, you could specify an IP address or an fqdn domain. If you are using a certificate for authentication, it's simple to use a certificate map for peer identification as all routers issued with a certificate from the correct CA will match that certificate map.
HTH
09-30-2018 11:56 AM - edited 09-30-2018 12:04 PM
Hi,
When you use the "match certificate CERT-MAP-DMVPN" command you are using the OU value of the certificate in order to identify the peer router. Any peer wishing to authenticate must therefore have a valid certificate with an "ou = AZT cn=radiuslocal-CA".
You don't necessarily need to use the certificate map in order identify peers for authentication, you could specify an IP address or an fqdn domain. If you are using a certificate for authentication, it's simple to use a certificate map for peer identification as all routers issued with a certificate from the correct CA will match that certificate map.
HTH
09-30-2018 04:45 PM
had an issue with cert authentication in conjunction with DMVPN a while ago, and I was told by TAC to revert to Pre shared keys.
I am not sure if this is an "official" cisco TAC piece of advise or not. I think practically using certs is somehwat more scalable , with the use of CRLs compared to PSKs, other than than that one is not much better than the other imho
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide