SafeNet IPsec VPN Client Support
The SafeNet IPsec VPN Client Support feature allows you to limit the scope of an Internet Security Association and Key Management Protocol (ISAKMP) profile or ISAKMP keyring configuration to a local termination address or interface. The benefit of this feature is that different customers can use the same peer identities and ISAKMP keys by using different local termination addresses.
History for the SafeNet IPsec VPN Client Support Feature
|
|
12.3(14)T |
This feature was introduced. |
12.2(18)SXE |
This feature was integrated into Cisco IOS Release 12.2(18)SXE. |
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•Prerequisites for SafeNet IPsec VPN Client Support
•Restrictions for SafeNet IPsec VPN Client Support
•Information About SafeNet IPsec VPN Client Support
•How to Configure SafeNet IPsec VPN Client Support
•Configuration Examples for SafeNet IPsec VPN Client Support
•Additional References
•Command Reference
Prerequisites for SafeNet IPsec VPN Client Support
•You must understand how to configure ISAKMP profiles and ISAKMP keyrings.
Restrictions for SafeNet IPsec VPN Client Support
•The local address option works only for the primary address of an interface.
•If an IP address is provided, the administrator has to ensure that the connection of the peer terminates to the address that is provided.
•If the IP address does not exist on the device, or if the interface does not have an IP address, the ISAKMP profile or ISAKMP keyring will be effectively disabled.
Information About SafeNet IPsec VPN Client Support
Before configuring SafeNet IPsec VPN Client Support, you should understand the following concepts:
•ISAKMP Profile and ISAKMP Keyring Configurations: Background
•Local Termination Address or Interface
ISAKMP Profile and ISAKMP Keyring Configurations: Background
Prior to Cisco IOS Release 12.3(14)T, ISAKMP-profile and ISAKMP-keyring configurations could be only global, meaning that the scope of these configurations could not be limited by any locally defined parameters (VRF instances were an exception). For example, if an ISAKMP keyring contained a preshared key for address 10.11.12.13, the same key would be used if the peer had the address 10.11.12.13, irrespective of the interface or local address to which the peer was connected. There are situations, however, in which users prefer that associate keyrings be bound not only with virtual route forwarding (VRF) instances but also to a particular interface. For example, if instead of VRF instances, there are virtual LANS, and the Internet Key Exchange (IKE) is negotiated with a group of peers using one fixed virtual LAN (VLAN) interface. Such a group of peers uses a single preshared key, so if keyrings could be bound to an interface, it would be easy to define a wildcard key without risking that the keys would also be used for other customers.
Sometimes the identities of the peer are not in the control of the administrator, and even if the same peer negotiates for different customers, the local termination address is the only way to distinguish the peer. After such a distinction is made, if the traffic is sent to different VRF instances, configuring an ISAKMP profile is the only way to distinguish the peer. Unfortunately, when the peer uses an identical identity for all such situations, the ISAKMP profile cannot distinguish among the negotiations. For such scenarios, it would be beneficial to bind ISAKMP profiles to a local termination address. If a local termination address could be assigned, identical identities from the peer would not be a problem.
Local Termination Address or Interface
Effective with Cisco IOS Release 12.3(14)T, the SafeNet IPsec VPN Client Support feature allows you to limit the scope of ISAKMP profiles and ISAKMP keyrings to a local termination address or interface.
Benefit of SafeNet IPsec VPN Client Support
The benefit of this feature is that different customers can use the same peer identities and ISAKMP keys by using different local termination addresses.
How to Configure SafeNet IPsec VPN Client Support
This section contains the following procedures. The first two configurations are independent of each other.
•Limiting an ISAKMP Profile to a Local Termination Address or Interface (required)
•Limiting a Keyring to a Local Termination Address or Interface (required)
•Monitoring and Maintaining SafeNet IPsec VPN Client Support (optional)
•Examples (optional)
Limiting an ISAKMP Profile to a Local Termination Address or Interface
To configure an ISAKMP profile and limit it to a local termination address or interface, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto isakmp profile profile-name
4. keyring keyring-name
5. match identity address address
6. local-address {interface-name | ip-address [vrf-tag]}
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
crypto isakmp profile profile-name
Router (config)# crypto isakmp profile profile1 |
Defines an ISAKMP profile and enters ISAKMP profile configuration mode. |
Step 4 |
keyring keyring-name
Router (conf-isa-profile)# keyring keyring1 |
(Optional) Configures a keyring with an ISAKMP profile. •A keyring is not needed inside an ISAKMP profile for local termination to work. Local termination works even if Rivest, Shamir, and Adelman (RSA) certificates are used. |
Step 5 |
match identity address address
Router (conf-isa-profile)# match identity address 10.0.0.0 255.0.0.0 |
Matches an identity from a peer in an ISAKMP profile. |
Step 6 |
local-address {interface-name | ip-address [vrf-tag]}
Router (conf-isa-profile)# local-address serial2/0 |
Limits the scope of an ISAKMP profile or an ISAKMP keyring configuration to a local termination address or interface. |
Limiting a Keyring to a Local Termination Address or Interface
To configure an ISAKMP keyring and limit its scope to a local termination address or interface, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto keyring keyring-name
4. local-address {interface-name | ip-address [vrf-tag]}
5. pre-shared-key address address
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
crypto keyring keyring-name
Router (config)# crypto keyring keyring1 |
Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode. |
Step 4 |
local-address {interface-name | ip-address [vrf-tag]}
Router (conf-keyring)# local-address serial2/0 |
Limits the scope of an ISAKMP profile or an ISAKMP keyring configuration to a local termination address or interface. |
Step 5 |
pre-shared-key address address
Router (conf-keyring)# pre-shared-key address 10.0.0.1 |
Defines a preshared key to be used for IKE authentication. |
Monitoring and Maintaining SafeNet IPsec VPN Client Support
The following debug and show commands may be used to monitor and maintain the configuration in which you limited the scope of an ISAKMP profile or ISAKMP keyring to a local termination address or interface.
SUMMARY STEPS
1. enable
2. debug crypto isakmp
3. show crypto isakmp profile
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
debug crypto isakmp
Router# debug crypto isakmp |
Displays messages about IKE events. |
Step 3 |
show crypto isakmp profile
Router# show crypto isakmp profile |
Lists all the ISAKMP profiles that are defined on a router. |
Examples
debug crypto isakmp Command Output for an ISAKMP Keyring That Is
Bound to Local Termination Addresses: Example
You have an ISAKMP configuration as follows (the address of serial2/0 is 10.0.0.1, and the address of serial2/1 is 10.0.0.2),
! Scope of the keyring is limited to interface serial2/0.
! The following is the key string used by the peer.
pre-shared-key address 10.0.0.3 key somerandomkeystring
! The following is the keystring used by the peer coming into serial2/1.
pre-shared-key address 10.0.0.3 key someotherkeystring
and if the connection is coming into serial2/0, keyring1 is chosen as the source of the preshared key (and keyring2 is ignored because it is bound to serial2/1), you would see the following output:
Router# debug crypto isakmp
*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0):Keyring keyring2 is bound to
*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0):Looking for a matching key for
*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0): : success
*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0):found peer pre-shared key
*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0): local preshared key found
debug crypto isakmp Command Output for an ISAKMP ProfileThat Is Bound
to a Local Termination Address: Example
If you have the following configuration,
crypto isakmp profile profile1
match identity address 10.0.0.0 255.0.0.0
crypto isakmp profile profile2
match identity address 10.0.0.1 255.255.255.255
and the connection is coming through the local terminal address serial2/0, you will see the following output:
Router# debug crypto isakmp
*Feb 11 15:01:29.935: ISAKMP:(0:0:N/A:0):
Profile profile2 bound to 10.0.0.0 skipped
*Feb 11 15:01:29.935: ISAKMP:(0:1:SW:1):: peer matches profile1 profile
show crypto isakmp profile Command Output: Example
The following is an example of typical show command output for an ISAKMP profile that is bound to serial2/0:
Router# show crypto isakmp profile
ip-address 10.0.0.0 255.0.0.0
Certificate maps matched are:
Interface binding: serial2/0 (10.20.0.1:global)
Troubleshooting SafeNet IPsec VPN Client Support
If an ISAKMP profile or ISAKMP keyring fails to be selected, you should double-check the local-address binding in the ISAKMP profile or ISAKMP keyring configuration and follow the output of the IKE debugs to determine whether the peer is correctly terminating on the address. You may remove the local-address binding (to make the scope of the profile or keyring global) and check to determine whether the profile or keyring is selected to confirm the situation.
Configuration Examples for SafeNet IPsec VPN Client Support
This section contains the following configuration, debug command, and show command examples.
•ISAKMP Profile Bound to a Local Interface: Example
•ISAKMP Keyring Bound to a Local Interface: Example
•ISAKMP Keyring Bound to a Local IP Address: Example
•ISAKMP Keyring Bound to an IP Address and Limited to a VRF: Example
ISAKMP Profile Bound to a Local Interface: Example
The following example shows that the ISAKMP profile is bound to a local interface:
crypto isakmp profile profile1
match identity address 10.0.0.0 255.0.0.0
local-address serial2/0
ISAKMP Keyring Bound to a Local Interface: Example
The following example shows that the ISAKMP keyring is bound only to interface serial2/0:
pre-shared-key address 10.0.0.1
ISAKMP Keyring Bound to a Local IP Address: Example
The following example shows that the ISAKMP keyring is bound only to IP address 10.0.0.2:
pre-shared-key address 10.0.0.2 key
ISAKMP Keyring Bound to an IP Address and Limited to a VRF: Example
The following example shows that an ISAKMP keyring is bound to IP address 10.34.35.36 and that the scope is limited to VRF examplevrf1:
local-address 10.34.35.36 examplevrf1
ip vrf forwarding examplevrf1
ip address 10.34.35.36 255.255.0.0
Additional References
The following sections provide references related to SafeNet IPsec VPN Client Support.
Related Documents
Standards
|
|
No new or modified standards are supported by this feature. |
— |
MIBs
|
|
No new or modified MIBs are supported by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs |
RFCs
|
|
No new or modified RFCs are supported by this feature. |
— |
Technical Assistance
|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/techsupport |
Command Reference
The following commands are introduced or modified in the feature or features
•local-address
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007-2010 Cisco Systems, Inc. All rights reserved.