Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
Distinguished Name Based Crypto Maps
Downloads: This chapterpdf (PDF - 130.0KB) The complete bookPDF (PDF - 904.0KB) | Feedback

Distinguished Name Based Crypto Maps

Distinguished Name Based Crypto Maps

Last Updated: September 14, 2012

The Distinguished Name Based Crypto Maps feature allows you to set restrictions in the router configuration that prevent peers with specific certificates--especially certificates with particular DNs-- from having access to selected encrypted interfaces.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Distinguished Name Based Crypto Maps

Before configuring a distinguished name (DN) based crypto map, you must perform the following tasks:

  • Create an Internet Key Exchange (IKE) policy at each peer.

For more information on creating IKE policies and crypto map entries, refer to Configuring Internet Key Exchange for IPsec VPNs

Restrictions for Distinguished Name Based Crypto Maps

System Requirements

To configure this feature, your router must support IP Security (IPsec).

Performance Impact

If you restrict access to a large number of DNs, it is recommended that you specify a few number of crypto maps referring to large identity sections instead of specifying a large number of crypto maps referring to small identity sections.

Information About Distinguished Name Based Crypto Maps

Feature Overview

The Distinguished Name Based Crypto Maps feature allows you to configure the router to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular Distinguished Names (DNs).

This feature allows you to configure which crypto maps are usable to a peer based on the DN that a peer used to authenticate itself, thereby enabling you to control which encrypted interfaces a peer with a specified DN can access.

How to Configure Distinguished Name Based Crypto Maps

Configuring DN Based Crypto Maps (authenticated by DN)

To configure a DN based crypto map that can be used only by peers that have been authenticated by a DN, perform the following steps.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    crypto identity name

4.    dn name =string [,name=string]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
crypto identity name


Example:

Router (config)# crypto identity sample-com

 

Configures the identity of a router with the given list of DNs in the certificate of the router and enters crypto identity configuration mode.

 
Step 4
dn name =string [,name=string]


Example:

Router(crypto-identity)# dn ou=mystring

 

Associates the identity of the router with the DN in the certificate of the router.

The identity of the peer must match the identity in the exchanged certificate.

 

Configuring DN Based Crypto Maps (authenticated by hostname)

To configure a DN based crypto map that can be used only by peers that have been authenticated by a hostname, perform the following steps.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    crypto identity name

4.    fqdn name


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
crypto identity name


Example:

Router (config)# crypto identity sample-com

 

Configures the identity of a router with the given list of DNs in the certificate of the router and enters crypto identity configuration mode.

 
Step 4
fqdn name


Example:

Router (crypto-identity)# fqdn sample.com

 

Associates the identity of the router with the hostname that the peer used to authenticate itself.

Note    The identity of the peer must match the identity in the exchanged certificate.
 

Applying Identity to DN Based Crypto Maps

To apply the identity (within the crypto map context), perform the following steps.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    crypto map map-name seq-num ipsec-isakmp

4.    set identity name


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
crypto map map-name seq-num ipsec-isakmp


Example:

Router (config)# crypto map mymap 10 ipsec-isakmp

 

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

 
Step 4
set identity name


Example:

Router (config-crypto-map)# set identity sample-com

 

Applies the identity to the crypto map.

When this command is applied, only the hosts that match a configuration listed within the set identity name can use the specified crypto map.

If the set identity command does not appear within the crypto map, the encrypted connection does not have any restrictions other than the IP address of the encrypting peer.

 

Verifying DN Based Crypto Maps

To verify that this functionality is properly configured, perform the following steps.

SUMMARY STEPS

1.    enable

2.    show crypto identity


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
show crypto identity


Example:

Router# show crypto identity

 

Displays the configured identities.

 

Troubleshooting Tips

If an encrypting peer attempts to establish a connection that is blocked by the DN based crypto map configuration, the following error message will be logged:

<time>: %CRYPTO-4-IKE_QUICKMODE_BAD_CERT: encrypted connection attempted with a peer without the configured certificate attributes.

Configuration Examples for Distinguished Name Based Crypto Maps

DN Based Crypto Map Configuration Example

The following example shows how to configure DN based crypto maps that have been authenticated by DN and hostname. Comments are included inline to explain various commands.

! DN based crypto maps require you to configure an IKE policy at each peer.
crypto isakmp policy 15
 encryption 3des
 hash md5
 authentication rsa-sig
 group 2
 lifetime 5000
crypto isakmp policy 20
 authentication pre-share
 lifetime 10000
crypto isakmp key 1234567890 address 172.31.224.33
!
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only 
! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.
crypto map map-to-bigbiz 10 ipsec-isakmp
 set peer 172.21.114.196
 set transform-set my-transformset
 set identity to-bigbiz
 match address 124
!
crypto identity to-bigbiz
 dn ou=BigBiz
!
!
! This crypto map can be used only by peers that have been authenticated by hostname
! and if the certificate belongs to little.com.
crypto map map-to-little-com 10 ipsec-isakmp
 set peer 172.21.115.119
 set transform-set my-transformset 
 match address 125
 identity to-little-com
!
crypto identity to-little-com
 fqdn little.com
!

Additional References

Related Documents

Related Topic

Document Title

Internet Key Exchange and IPsec

Configuring Internet Key Exchange for IPsec VPNs

Security commands

Cisco IOS Security Command Reference

Standards

Standard

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIB

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

--

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for Distinguished Name Based Crypto Maps

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Distinguished Name Based Crypto Maps

Feature Name

Releases

Feature Information

Distinguished Name Based Crypto Maps

Cisco IOS XE Release 2.1

This feature allows you to configure the router to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular Distinguished Names (DNs).

The following commands were introduced or modified: crypto identity, dn, fqdn, and identity.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.