Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS Release 15.1M&T
Distinguished Name Based Crypto Maps
Downloads: This chapterpdf (PDF - 129.0KB) | Feedback

Distinguished Name Based Crypto Maps

Table Of Contents

Distinguished Name Based Crypto Maps

Feature Overview

Benefits

Restrictions

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring DN Based Crypto Maps (authenticated by DN)

Configuring DN Based Crypto Maps (authenticated by hostname)

Applying Identity to DN Based Crypto Maps

Verifying DN Based Crypto Maps

Troubleshooting Tips

Configuration Examples

DN Based Crypto Map Configuration Example

Command Reference


Distinguished Name Based Crypto Maps


Feature History

Release
Modification

12.2(4)T

This feature was introduced.


This feature module describes the Distinguished Name Based Crypto Map feature in Cisco IOS Release 12.2(4)T. It includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuration Examples

Command Reference

Feature Overview

The Distinguished Name Based Crypto Maps feature allows you to configure the router to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular Distinguished Names (DNs).

Previously, if the router accepted a certificate or a shared secret from the encrypting peer, Cisco IOS did not have a method of preventing the peer from communicating with any encrypted interface other than the restrictions on the IP address of the encrypting peer. This feature allows you to configure which crypto maps are usable to a peer based on the DN that a peer used to authenticate itself, thereby, enabling you to control which encrypted interfaces a peer with a specified DN can access.

Benefits

The Distinguished Name Based Crypto Maps feature allows you to set restrictions in the router configuration that prevent peers with specific certificates—especially certificates with particular DNs— from having access to selected encrypted interfaces.

Restrictions

System Requirements

To configure this feature, your router must support IP Security.

Performance Impact

If you restrict access to a large number of DNs, it is recommended that you specify a few number of crypto maps referring to large identity sections instead of specifying a large number of crypto maps referring to small identity sections.

Related Documents

The following documents provide information related to the Distinguished Name Based Crypto Maps feature:

Cisco IOS Security Command Reference

Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T

Supported Platforms

This feature is supported on the following platforms:

Cisco 1700 series

Cisco 2600 series

Cisco 3620

Cisco 3640

Cisco 3660

Cisco 7100 series

Cisco 7200 series

Cisco uBR905 Cable Access Router

Cisco uBR925 Cable Access Router

Determining Platform Support Through Feature Navigator

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Supported Standards, MIBs, and RFCs

Standards

None

MIBs

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

None

Prerequisites

Before configuring a DN based crypto map, you must perform the following tasks:

Create an Internet Key Exchange (IKE) policy at each peer.

For more information on creating IKE policies, refer to the "Configuring Internet Key Exchange for IPsec VPNs" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity..

Create crypto map entries for IPSec.

For more information on creating crypto map entries, refer to the "Configuring Security for VPNs with IPsec" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity.

Configuration Tasks

See the following sections for configuration tasks for the Distinguished Name Based Crypto Maps feature. Each task in the list is identified as either required or optional.

Configuring DN Based Crypto Maps (authenticated by DN) (required)

Configuring DN Based Crypto Maps (authenticated by hostname) (required)

Applying Identity to DN Based Crypto Maps (required)

Verifying DN Based Crypto Maps (optional)

Configuring DN Based Crypto Maps (authenticated by DN)

To configure a DN based crypto map that can be used only by peers that have been authenticated by a DN, use the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# crypto identity name

Configures the identity of a router with the given list of DNs in the certificate of the router and enters crypto identity configuration mode.

Step 2 

Router(crypto-identity)# dn name=string [,name=string]

Associates the identity of the router with the DN in the certificate of the router.

Note The identity of the peer must match the identity in the exchanged certificate.

Configuring DN Based Crypto Maps (authenticated by hostname)

To configure a DN based crypto map that can be used only by peers that have been authenticated by a hostname, use the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# crypto identity name

Configures the identity of a router with the given list of DNs in the certificate of the router and enters crypto identity configuration mode.

Step 2 

Router(crypto-identity)# fqdn name

Associates the identity of the router with the hostname that the peer used to authenticate itself.

Note The identity of the peer must match the identity in the exchanged certificate.

Applying Identity to DN Based Crypto Maps

To apply the identity (within the crypto map context), use the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# crypto map map-name seq-num ipsec-isakmp

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

Step 2 

Router(config-crypto-map)# identity name

Applies the identity to the crypto map.

When this command is applied, only the hosts that match a configuration listed within the identity name can use the specified crypto map.

Note If the identity command does not appear within the crypto map, the encrypted connection does not have any restrictions other than the IP address of the encrypting peer.

Verifying DN Based Crypto Maps

To verify that this functionality is properly configured, use the following command in EXEC mode:

Command
Purpose

Router# show crypto identity

Displays the configured identities.


Troubleshooting Tips

If an encrypting peer attempts to establish a connection that is blocked by the DN based crypto map configuration, the following error message will be logged:

<time>: %CRYPTO-4-IKE_QUICKMODE_BAD_CERT: encrypted connection attempted with a peer 
without the configured certificate attributes.

Configuration Examples

This section provides the following configuration example:

DN Based Crypto Map Configuration Example

DN Based Crypto Map Configuration Example

The following example shows how to configure DN based crypto maps that have been authenticated by DN and hostname. Comments are included inline to explain various commands.

! DN based crypto maps require you to configure an IKE policy at each peer.
crypto isakmp policy 15
 encryption 3des
 hash md5
 authentication rsa-sig
 group 2
 lifetime 5000
crypto isakmp policy 20
 authentication pre-share
 lifetime 10000
crypto isakmp key 1234567890 address 171.69.224.33
!
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only 
! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.
crypto map map-to-bigbiz 10 ipsec-isakmp
 set peer 172.21.114.196
 set transform-set my-transformset 
 match address 124
 identity to-bigbiz
!
crypto identity to-bigbiz
 dn ou=BigBiz
!
!
! This crypto map can be used only by peers that have been authenticated by hostname
! and if the certificate belongs to little.com.
crypto map map-to-little-com 10 ipsec-isakmp
 set peer 172.21.115.119
 set transform-set my-transformset 
 match address 125
 identity to-little-com
!
crypto identity to-little-com
 fqdn little.com
!

Command Reference

The following new commands are pertinent to this feature. To see the command pages for these commands and other commands used with this feature, go to the Cisco IOS Master Commands List at http://www.cisco.com/en/US/products/ps6441/products_product_indices_list.html.

crypto identity

dn

fqdn

identity

For information about these commands, see the Cisco IOS Security Command Reference at

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.

For information about all Cisco IOS commands, see the Command Lookup Tool at

http://tools.cisco.com/Support/CLILookup or the Master Command List.