Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
10
Helpful
2
Replies

Pro and Cons of using crypto pki certificate map and without using

Go to solution
UCrypto
Level 1
Level 1

‎09-30-2018 07:09 AM

Dear All,

I would like to know Pro and Cons of  using crypto pki certificate map and without using.

Please help me.

Using crypto pki certificate map :

crypto isakmp policy 100
encr 3des
hash md5
group 2
exit

crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = AZT cn=radiuslocal-CA
exit

crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
exit

crypto isakmp profile DMVPN
ca trust-point radiuslocal.com
match certificate CERT-MAP-DMVPN
exit

crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
exit

without using certificate map:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication rsa-sig
group 2
exit
!

crypto ipsec transform-set TS1 esp-aes 256 esp-sha256-hmac
exit
!
crypto ipsec profile VPNPROF1
set transform-set TS1
exit

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-30-2018 11:56 AM - edited ‎09-30-2018 12:04 PM

Hi,
When you use the "match certificate CERT-MAP-DMVPN" command you are using the OU value of the certificate in order to identify the peer router. Any peer wishing to authenticate must therefore have a valid certificate with an "ou = AZT cn=radiuslocal-CA".

You don't necessarily need to use the certificate map in order identify peers for authentication, you could specify an IP address or an fqdn domain.  If you are using a certificate for authentication, it's simple to use a certificate map for peer identification as all routers issued with a certificate from the correct CA will match that certificate map.

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎09-30-2018 11:56 AM - edited ‎09-30-2018 12:04 PM

Hi,
When you use the "match certificate CERT-MAP-DMVPN" command you are using the OU value of the certificate in order to identify the peer router. Any peer wishing to authenticate must therefore have a valid certificate with an "ou = AZT cn=radiuslocal-CA".

You don't necessarily need to use the certificate map in order identify peers for authentication, you could specify an IP address or an fqdn domain.  If you are using a certificate for authentication, it's simple to use a certificate map for peer identification as all routers issued with a certificate from the correct CA will match that certificate map.

HTH

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎09-30-2018 04:45 PM

 had an issue with cert authentication in conjunction with DMVPN a while ago, and I was told by TAC to revert to Pre shared keys.

 

I am not sure if this is an "official" cisco TAC piece of advise or not. I think practically using certs is somehwat more scalable , with the use of CRLs compared to PSKs, other than than that one is not much better than the other imho

Please remember to rate useful posts, by clicking on the stars below.

Customers Also Viewed These Support Documents