01-14-2015 07:08 PM
Hello
I'm designing a new dual cloud/dual hub DMVPN network.
The spoke routers will have
This works fine if I use the 'shared' keyword with the tunnel protect command on the tunnels.
But I need to make it work with the new IKE profile based tunnel selection.
My issue is what 'match' criteria to use so I can uniquely identify RED or BLUE spokes in an IKE profile.
All the spokes will be using a common Domain so I can't use fqdn or email to identify them.
I can't match on certificate because that is also common for the spoke and will be used for both RED and BLUE
SO I'm stumped on what match criteria to use !!
Solved! Go to Solution.
01-16-2015 02:07 AM
Hello, Wes Smith.
Are you planning to use the same Certificats for RED and BLUE? If it'll be not the same certeficate you can try use a OU to separate them.
01-16-2015 02:07 AM
Hello, Wes Smith.
Are you planning to use the same Certificats for RED and BLUE? If it'll be not the same certeficate you can try use a OU to separate them.
01-16-2015 06:12 AM
Hi
As far as I know, the spokes can only have one identity and it gets uses for both DMVPN clouds
This means they have common attributes for both tunnels
I'm really stumped on how one would ever have a spoke use this profile based tunnel selection feature to identify which profile should be used for an incoming ike request.
01-16-2015 07:07 AM
Hi, Wes.
At each branch you have 2 different PKI Certificates (i think you have :) ). Each for every cloud. At first certificate you can make a OU=RED and at the second OU=BLUE.
And at the each hub router you can add lines:
crypto ca certificate map CERF_MAP_RED 10
subject-name attr ou eq RED
exit
crypto ca certificate map CERF_MAP_BLUE 10
subject-name attr ou eq BLUE
exit
crypto isakmp profile RED
match certificate CERF_MAP_RED
exit
crypto isakmp profile BLUE
match certificate CERF_MAP_BLUE
exit
crypto ipsec profile BLUE
set isakmp-profile BLUE
exit
crypto ipsec profile RED
set isakmp-profile RED
exit
But I haven't tested this solution on the routers (only at ASA).
And OU is not only 1 field that you can use at certificates.
01-16-2015 08:12 AM
There is a common CA and the routers only have 1 cert each.
I don't think I can have two certs from the same CA?
I think the crux of this problem is how to make the routers identify themselves uniquely depending on the tunnel interface used.
It would be great if the we could use the NHRP or Tunnel key.. but that isn't part of the IKE setup.
Still Stumped
01-18-2015 03:23 AM
Hi, Wes Smith.
I found this solution: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/27860-ios-enhanced-enrollment.html
But at this solution they tryed to use different CA servers. So my suggestion is this: can you try create 2 different trust points with the same server url but different subject-name? And enroll a certificate from each trustpoint.
I wanted to test it before sending you information but I don't have spare router with me right now.
01-28-2015 03:10 PM
Turns out you can specify a unique identity in the IKEV2 profile.
I used two different email identities. spoke@tunnel10.com and spoke@tunnel11.com. Using fqdn for identity works as well.
The match statement uses the email 'domain' keyword so it's only looking for the tunnel10.com or tunnel11.com
I think your suggestion of using different OU's may work as well. I will try later.
Looks like this
crypto ikev2 profile CRY_IKE_PROFILE_TUNNEL10
match fvrf INET
match identity remote email domain tunnel10.com
identity local email spoke@tunnel10.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint blahblah
dpd 30 5 on-demand
crypto ikev2 profile CRY_IKE_PROFILE_TUNNEL11
match fvrf INET
match identity remote email domain tunnel11.com
identity local email spoke@tunnel11.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint blahblah
dpd 30 5 on-demand
! !! Ikev2 profile removed from the IPsec profile
crypto ipsec profile CRY_IPSEC_PROFILE1
set transform-set CRY_IPSEC_TRANSFORM1
set pfs group14
Specify the ike profile to use on the tunnel protection command
Int tunnel10
tunnel protection ipsec profile CRY_IPSEC_PROFILE1 ikev2-profile CRY_IKE_PROFILE_TUNNEL10
Int tunnel10
tunnel protection ipsec profile CRY_IPSEC_PROFILE1 ikev2-profile CRY_IKE_PROFILE_TUNNEL11
01-28-2015 03:12 PM
Forgot to add.
I get this message now.
%CRYPTO-6-IKMP_NO_ID_CERT_USER_FQDN_MATCH: ID of spoke@tunnel10.com (type 3) and certificate user fqdn with empty.
I think this is a result of changing the identity to something other than the fqdn in the certificate.
It doesn't seem to affect anything.
01-28-2015 10:31 PM
Hi, Wes Smith.
Yes, it's as you told. Your VPN server is checking fqdn of your router and fqdn in the certificate and see that they don't match. And by this reason it gives you error.
I'm glad that all works well.
Best Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide