12-02-2008 12:10 PM - edited 02-21-2020 04:03 PM
Hello
I need some help with the usage of RSA certificates in IPSec. The is question what fields are checked during ISAKMP rsa authentication (e.g. certificate subject and peer identity?)
I use very simple topology:
R1(10.0.12.1)<------>(10.0.12.2)R2(10.0.23.2)<--------->(10.0.23.3)R3
I try to establish an IPSec tunnel between R1 and R3 using for isakmp authentication with RSA-signatures (default method). The certificates are issued by a forth router acting
as a pki server and are manually inserted in R1 and R3.
IPSec Communication is established correctly between R1 and R3. What I cannot understand is that even when I change the R3 IP address from 10.0.23.3 -> 10.0.23.33 and the hostname from R3 -> R33 (without getting a new certificate) still IPSec is still
correctly established!!!
-What does ISAKMP authentication when Certificates are used???
-What are the fields that each peer checks?
I would assume that the router extracts from the subject of his peer's certificate the IP address or the fqdn. Then proceeds by checking to see if these values are indeed equal with the identity supplied by the Peer.
(unfortunately it did not work as I expected in my case)
The crypto related config for the routers is:
R1
=========================
ip domain name ssl.com
ip host R3.ssl.com 10.0.23.3
crypto pki trustpoint CA_ROOT
enrollment terminal
usage ike
serial-number none
ip-address 10.0.12.1
subject-name C=US, O=ssl.com, OU=bull
revocation-check none
crypto isakmp policy 10
hash md5
crypto ipsec transform-set myset esp-null esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set transform-set myset
match address 102
set peer 10.0.23.33 (after the change)
R3
===========================
ip domain name ssl.com
ip host R1.ssl.com 10.0.12.1
crypto pki trustpoint CA_ROOT
enrollment terminal
usage ike
serial-number none
ip-address 10.0.23.3
subject-name C=US, O=ssl.com, OU=bull
revocation-check none
crypto isakmp policy 10
hash md5
crypto ipsec transform-set myset esp-null esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 10.0.12.1
set transform-set myset
match address 102
The certificate in R3 remains the same with subject:
Subject:
Name: R3.ssl.com
IP Address: 10.0.23.3
ipaddress=10.0.23.3+hostname=R3.ssl.com
c=US
o=ssl.com
ou=bull
P.S.
The only way I managed to make the previous setup work as I was expected (Successfull IPsec connectity initialy - Loss of connectivity when the IP or the hostname of R3 changed - without getting a new certificate)
was by using a certificate map in R1. That map defined the expected subject of the peer's certificate.
Is this the way that certificate based authentication is supposed to work?
When ISAKMP used rsa-signatures for authentication should both peers employ certificate maps
to verify that indeed the identity described in subject of the supplied certificates matches the identities
of the peers??
12-08-2008 02:53 PM
To configure ISAKMP policies, in global configuration mode, use the crypto isakmp policy command with its various arguments. The syntax for ISAKMP policy commands is as follows:
crypto isakmp policy priority attribute_name [attribute_value | integer]
You must include the priority in each of the ISAKMP commands. The priority number uniquely identifies the policy, and determines the priority of the policy in ISAKMP negotiations.
To enable and configure ISAKMP, complete the steps in the below URL:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1042302
09-10-2013 06:04 AM
Hi
I am trying a similiar scenario,
I am trying to create ipsec tunnel between 2 routers and third router is the CA server .
After I receive the certificates ping fail betweenn 2 routers .
Can you send me working configuration ?
tx
Roee
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide