Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3542
Views
0
Helpful
4
Replies

Cisco IOS Router with certificates and IKEv2 for VPN

Marcus Peck
Level 1
Level 1

‎05-31-2018 05:30 AM - edited ‎03-12-2019 05:20 AM

Hi experts, we have a requirement to setup an IPSec VPN tunnel. The requirements are:

1. The Certificates used are a "copy & paste" certificates from a CA. There is no CA available and reachable from either routers.

2. All certificates (Root, Intermediate and ID certificates) are successfully imported. 

3. The IKEv2 parameters are defined as IKEv2 Hash = SHA256, DH group = 20, IPSec protocol = ESP, IPSec hash = SHA256 & IPSec encryption = AES256.

4. We have defined 3 trust points, 1 each for each certificate that was successfully imported.

 

Now the question is we have searched the internet for some clues on how to configure the IKEv2 with certificates but we could not find any except this:

https://supportforums.cisco.com/t5/vpn/ikev2-with-certificates/td-p/2087717

 

According to the above link, there is a command:

crypto pki certificate map CRT 10
issuer-name co csfc

 

We do not hav the above commands and is it mandatory? We needed to be sure as we try to understand each command set before we configure this. Any help is appreciated! Thank you!

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎05-31-2018 05:36 AM - edited ‎05-31-2018 05:39 AM

Hi Marcus,

I've done this many a time.

 

This post shows you how to enroll a Cisco IOS Router manually (terminal enrollment) and this post shows you how to configure FlexVPN (IKEv2) with certificate authentication (this should help with the query regarding the Cert Map).

 

If you don't have those commands, what license do you have on the router?

 

HTH

0 Helpful

Marcus Peck
Level 1
Level 1
In response to Rob Ingram

‎05-31-2018 06:17 PM

Hi, thank you for your reply. We will give this a go and the cert map explanation definitely helped. Will update this post as we go along.
0 Helpful

Marcus Peck
Level 1
Level 1
In response to Marcus Peck

‎05-31-2018 10:34 PM

Hi, just to confirm, for the certificates, we need the root certs on the local and remote router right?
0 Helpful

Rob Ingram
VIP
VIP
In response to Marcus Peck

‎06-01-2018 02:17 AM

Yes, the root certificate needs to be on the local and remote routers.

0 Helpful
Customers Also Viewed These Support Documents