12-12-2018 05:30 PM - edited 02-21-2020 09:31 PM
I followed the following example to setup a Hub-and-Spoke FlexVPN testbed:
(Basic Connectivity Configuration)
The client uses identity like "Client1@cisco.com", "Client2@cisco.com", etc. But I have an additional requirement. I want an additional pre-configured information from the Spoke client, something like a mac-address or serial number, that I can retrieve from the Hub. Something like "Client1+AB233422@cisco.com", Client2+EB3223444@cisco.com". Such that, from the Hub, I can identify the exact device which is initiating the connection. The additional identity does not need to be secured (meaning it is a configuration on the client), it just should not be pre-configured on the Hub. i.e. the Hub still use "Client1@cisco.com", "Client2@cisco.com" for authentication.
Can this be done? Can the client supply additional id information during VPN establishment such that the information is visible from the Hub?
12-13-2018 03:54 AM
Hi,
I don't fully understand why you want to do what you want, why do you need to send 2 identities? Just send 1 from the spoke, does this example give you what you need? (I think it should be self explanitory):-
HUB
crypto ikev2 profile IKEV2_PROFILE
match identity fqdn domain cisco.com
identity local fqdn HUB@cisco.com
SPOKE1
crypto ikev2 profile IKEV2_PROFILE
match identity fqdn domain cisco.com
identity local fqdn Client1+AB233422@cisco.com
SPOKE2
crypto ikev2 profile IKEV2_PROFILE
match identity fqdn domain cisco.com
identity local fqdn Client2+EB3223444@cisco.com
HTH
12-13-2018 07:58 AM - edited 12-13-2018 08:00 AM
What I am saying is, if I switch the hardware. I want the client to switch from "Client2+EB3223444@cisco.com" to "Client2+DE3434345@cisco.com". But I don't want to change the authentication config on the Hub.
"Client2+EB3223444@cisco.com" is just an example. I know EB3223444 is part of the authentication string in this example. I want something that is not part of the authentication but cannot be visible from Hub.
12-13-2018 08:10 AM
12-13-2018 01:15 PM
It won't work for me because the client identity needs to be checked on Hub. They don't have same PSK.
12-13-2018 01:29 PM
The client identity is checked on the Hub.
If you need different PSK then match the keyring on the ip address. E.g:-
crypto ikev2 keyring KEYRING
peer SPOKE1
identity address 1.1.1.1
pre-shared-key local Cisco1234
pre-shared-key remote Cisco1234
!
peer SPOKE2
identity address 2.2.2.2
pre-shared-key local Cisco5678
pre-shared-key remote Cisco5678
Does that work for you?
You can still use the fqdn identity in the IKEv2 profile to identify the spoke to the hub
12-13-2018 02:18 PM
Unfortunately, no. The client's WAN IP is dynamically assigned.
12-13-2018 02:42 PM
12-13-2018 07:43 PM
That is an interesting idea!
However, I can't use "Client1@AB233422.cisco.com" because it won't match the domain "cisco.com". The same for FQDN because it is also built on 2 parts - hostname + domain. I fear that if I remove
match identity remote email domain cisco.com
from the Hub, it will weaken my security.
This left me with DN and EAP. I believe DN is certificate based and it is not something I can easily modify (to add that Client1 + AB233422 combination). I don't see an identify local EAP option on the Spoke.
So close!
12-14-2018 08:47 AM
Is there a reason you're using the @ symbol in the fqdn?
If you use something like the below config using a dot and and specify remote fqdn, it should work by just matching the domain.
I'm using this for ikev2 with DMVPN and it works fine.
HUB
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain cisco.com
identity local fqdn HUB.cisco.com
SPOKE1
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn cisco.com
identity local fqdn Client1+AB233422.cisco.com
12-14-2018 11:09 AM - edited 12-14-2018 11:09 AM
The "@" symbol is for email address based authentication. AFAIK, whether it is email or fqdn, it is really just a 2 parted string. With email, the delimiter is the "@". With fqdn, the delimiter is the first period (.).
In your example, how do you configure the ikev2 keyring? In my case, it is:
peer Client1 identity email Client1@cisco.com pre-shared-key cisco
I can change it to use fqdn
peer Client1 identity fqdn Client1.cisco.com pre-shared-key cisco
But it won't match Client1-AB233422.cisco.com ('+' is not a valid symbol for fqdn).
12-14-2018 11:36 AM
There's a keyring set up with different peers. I've included the hub and spoke below. But my configuration won't work the way you want since I define the peer specifically by hostname. If the spokes ever change names, I would need to update my hub keyring.
You could just set it for the domain.com only instead of the hostname.domain.com
HUB:
crypto ikev2 keyring HUB-KEYRING
peer SPOKE-1
identity fqdn SPOKE-1.xxxxx.com
pre-shared-key <key>
(or you could try)
peer ALL-SPOKES
identity fqdn domain xxxxx.com
pre-shared-key <key>
SPOKE:
crypto ikev2 keyring SPOKE-KEYRING
peer HUB
address <HUB address>
identity HUB.xxxxx.com
pre-shared-key <key>
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: