000019822 - How to set up Cisco routers to establish IPsec tunnels using DN-based certificate authentication

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019822
Applies ToKeon Certificate Authority 6.0.2
Cisco IOS 12.8
Cisco Router
Microsoft Windows 2000 Server SP1
SCEP
IssueHow to set up Cisco routers to establish IPsec tunnels using DN-based certificate authentication
Certificate attribute issues when making request from Cisco routers via SCEP
CauseCisco IOS 12.4 cannot make certificate request with OU in the DN
ResolutionLatest IOS (12.8) has added this feature when declaring enrollment CA at the IOS, and this will be included during the cert request:

Requesting a certificate with the required DN:

DNs are essentially a series of attributes with specified values. One example of a DN would be:
OU=nsite,CN=nsite-cert,O=Cisco,C=USA

The most commonly used attributes are:

String  X.500              AttributeType

CN                              commonName
L                               localityName
ST                              stateOrProvinceName
O                             organizationName
OU                           organizationalUnitName
C                                    countryName
STREET                       streetAddress
DC                                  domainComponent
UID                         userid

[For full details, please see RFC 2253 available at http://www.ietf.org/rfc/rfc2253.txt?number=2253]

One very important thing to understand is that any of the DN values used for authentication must appear in the ?Subject? line of the certificate. This will happen only if these values are specified at the time the certificate is requested.

For example, suppose we want a router to identify itself with the DN values in the example above. The fields must be specified during enrollment as follows:

     crypto  isakmp trustpoint Cisco.com
        enrollment mode ra
        enrollment URL http://100.1.1.5:80
        subject-name OU=nsite,CN=nsite-cert,O=Cisco,C=USA
        crl optional
     exit
            
(The default subject name is the FQDN of the router)


Specify that the router will use the DN as its identity:

This is very straightforward. The required command is:

crypto isakmp id dn


On the receiving end, configure a check for this DN:

First, configure the crypto id desired and then associate it with the correct crypto map:

crypto id from_moab
  dn OU=nsite,CN=nsite-cert,O=Cisco,C=USA

crypto map crypmap 1 ipsec-iaskmp
   set peer 1.1.1.1
   set transform some_trans
   set identity from_moab
   match address some_acl

Some clarifications regarding crypto id:

A crypto id can have several DNs specified under it. For example:

crypto id from_moab
  dn OU=nsite,CN=nsite-cert,O=Cisco,C=USA
  dn  OU=tac
  dn  CN=tac-cert
  dn  O=Nortel
  fqdn  moab.Cisco.com

The thing to remember is that it is enough for any one of the several DNs specified to be valid. I.e. when multiple DNs are specified, the router essentially treats them as if there was an ?OR? between them. However, when multiple attributes are specified for a DN, all of the attributes must match;

i.e. all the individual attributes are ?AND?ed.

So, in the above example, it is enough if any of the DNs is matched, i.e. the remote end could have a dn with O=Nortel and that would be enough.

However, if the router receives a DN of:
dn OU=nsite,CN=nsite-cert,O=Cisco,C=IN

, then the DN check will fail since C=IN instead of ?US?. This is because the crypto id specified on the router is looking for ?OU=nsite AND CN=nsite-cert AND O=Cisco AND C=US?, and the DN received is ?OU=nsite AND CN=nsite-cert AND O=Cisco AND C=IN?.

So, to reiterate, if you are looking to match dn (OU=nsite  OR CN=nsite-cert OR O=Cisco), you would configure:

crypto id from_moab
  dn  OU=nsite
  dn  CN=nsite-cert
  dn  O=Cisco

and if you are looking to match dn (OU=nsite  AND CN=nsite-cert AND O=Cisco), you would configure:

crypto id from_moab
  dn OU=nsite,CN=nsite-cert,O=Cisco

Examples of certificates on routers showing the DN attributes:

Certificate obtained after specifying the following at enrollment:
crypto ca trustpoint cisco.com
enrollment url http://100.1.1.5:80
subject-name CN=xyvenus4, OU=xynsite, O=xycisco
crl optional

VENUS-4# sho cry ca cert
Certificate
 Status: Available
 Certificate Serial Number: 1D
 Certificate Usage: General Purpose
 Issuer:
   CN = Certificate Manager
    OU =<> my_ipsec
    O =<> my_nsite
    C = US
 Subject:
   Name: VENUS-4.cisco.com
   OID.1.2.840.113549.1.9.2 =<16> VENUS-4.cisco.com
    CN = xyvenus4
    OU = xynsite
    O = xycisco
 Validity Date:
   start date: 13:41:11 edt Jun 13 2002
   end   date: 13:41:11 edt Jun 13 2003
   renew date: 19:00:00 est Dec 31 1969
 Associated Trustpoints: cisco.com

CA Certificate
 Status: Available
 Certificate Serial Number: 01
 Certificate Usage: Signature
 Issuer:
   CN = Certificate Manager
    OU =<> my_ipsec
    O =<> my_nsite
    C = US
 Subject:
   CN = Certificate Manager
    OU =<> my_ipsec
    O =<> my_nsite
    C = US
 Validity Date:
   start date: 00:00:00 edt May 20 2002
   end   date: 00:00:00 edt May 20 2004
 Associated Trustpoints: cisco.com


VENUS-4#


If no subject name is specified during the enrollment, the certificates look like:

crypto ca trustpoint cisco.com
enrollment url http://100.1.1.5:80
crl optional

VENUS-8#sho cry ca cert
Certificate
 Status: Available
 Certificate Serial Number: 20
 Certificate Usage: General Purpose
 Issuer:
   CN = Certificate Manager
    OU =<> my_ipsec
    O =<> my_nsite
    C = US
Legacy Article IDa12666

Attachments

    Outcomes