Distinguished Name Based Crypto Maps
|
|||||||||||||||||||||||||
Contents
Distinguished Name Based Crypto MapsLast Updated: July 16, 2012
Feature History
This feature module describes the Distinguished Name Based Crypto Map feature in Cisco IOS Release 12.2(4)T. It includes the following sections: Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Feature OverviewThe Distinguished Name Based Crypto Maps feature allows you to configure the router to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular Distinguished Names (DNs). Previously, if the router accepted a certificate or a shared secret from the encrypting peer, Cisco IOS did not have a method of preventing the peer from communicating with any encrypted interface other than the restrictions on the IP address of the encrypting peer. This feature allows you to configure which crypto maps are usable to a peer based on the DN that a peer used to authenticate itself, thereby, enabling you to control which encrypted interfaces a peer with a specified DN can access. BenefitsThe Distinguished Name Based Crypto Maps feature allows you to set restrictions in the router configuration that prevent peers with specific certificates--especially certificates with particular DNs-- from having access to selected encrypted interfaces. Related DocumentsThe following documents provide information related to the Distinguished Name Based Crypto Maps feature:
Supported PlatformsThis feature is supported on the following platforms:
Determining Platform Support Through Feature NavigatorUse Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Supported Standards MIBs and RFCsPrerequisitesBefore configuring a DN based crypto map, you must perform the following tasks: For more information on creating IKE policies, refer to the " Configuring Internet Key Exchange for IPsec VPNs " chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity .. For more information on creating crypto map entries, refer to the " Configuring Security for VPNs with IPsec " chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity Configuration TasksSee the following sections for configuration tasks for the Distinguished Name Based Crypto Maps feature. Each task in the list is identified as either required or optional.
Configuring DN Based Crypto Maps (authenticated by DN)To configure a DN based crypto map that can be used only by peers that have been authenticated by a DN, use the following commands beginning in global configuration mode: DETAILED STEPS Configuring DN Based Crypto Maps (authenticated by hostname)To configure a DN based crypto map that can be used only by peers that have been authenticated by a hostname, use the following commands beginning in global configuration mode: DETAILED STEPS
Applying Identity to DN Based Crypto MapsTo apply the identity (within the crypto map context), use the following commands beginning in global configuration mode: DETAILED STEPS
Verifying DN Based Crypto MapsTo verify that this functionality is properly configured, use the following command in EXEC mode: Troubleshooting TipsIf an encrypting peer attempts to establish a connection that is blocked by the DN based crypto map configuration, the following error message will be logged: <time>: %CRYPTO-4-IKE_QUICKMODE_BAD_CERT: encrypted connection attempted with a peer without the configured certificate attributes. Configuration ExamplesDN Based Crypto Map Configuration ExampleThe following example shows how to configure DN based crypto maps that have been authenticated by DN and hostname. Comments are included inline to explain various commands. ! DN based crypto maps require you to configure an IKE policy at each peer. crypto isakmp policy 15 encryption aes hash sha authentication rsa-sig group 14 lifetime 5000 crypto isakmp policy 20 encryption aes hash sha authentication pre-share group 14 lifetime 10000 crypto isakmp key 1234567890 address 171.69.224.33 ! ! The following is an IPSec crypto map (part of IPSec configuration). It can be used only ! by peers that have been authenticated by DN and if the certificate belongs to BigBiz. crypto map map-to-bigbiz 10 ipsec-isakmp set peer 172.21.114.196 set transform-set my-transformset match address 124 identity to-bigbiz ! crypto identity to-bigbiz dn ou=BigBiz ! ! ! This crypto map can be used only by peers that have been authenticated by hostname ! and if the certificate belongs to little.com. crypto map map-to-little-com 10 ipsec-isakmp set peer 172.21.115.119 set transform-set my-transformset match address 125 identity to-little-com ! crypto identity to-little-com fqdn little.com ! © 2012 Cisco Systems, Inc. All rights reserved.
|
|||||||||||||||||||||||||