Table Of Contents
Distinguished Name Based Crypto Maps
This feature module describes the Distinguished Name Based Crypto Map feature in Cisco IOS Release 12.2(4)T. It includes the following sections:
The Distinguished Name Based Crypto Maps feature allows you to configure the router to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular Distinguished Names (DNs).
Previously, if the router accepted a certificate or a shared secret from the encrypting peer, Cisco IOS did not have a method of preventing the peer from communicating with any encrypted interface other than the restrictions on the IP address of the encrypting peer. This feature allows you to configure which crypto maps are usable to a peer based on the DN that a peer used to authenticate itself, thereby, enabling you to control which encrypted interfaces a peer with a specified DN can access.
The Distinguished Name Based Crypto Maps feature allows you to set restrictions in the router configuration that prevent peers with specific certificates—especially certificates with particular DNs— from having access to selected encrypted interfaces.
To configure this feature, your router must support IP Security.
If you restrict access to a large number of DNs, it is recommended that you specify a few number of crypto maps referring to large identity sections instead of specifying a large number of crypto maps referring to small identity sections.
The following documents provide information related to the Distinguished Name Based Crypto Maps feature:
This feature is supported on the following platforms:
•Cisco 1700 series
•Cisco 2600 series
•Cisco 7100 series
•Cisco 7200 series
•Cisco uBR905 Cable Access Router
•Cisco uBR925 Cable Access Router
Determining Platform Support Through Feature Navigator
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Supported Standards, MIBs, and RFCs
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
Before configuring a DN based crypto map, you must perform the following tasks:
•Create an Internet Key Exchange (IKE) policy at each peer.
For more information on creating IKE policies, refer to the "Configuring Internet Key Exchange for IPsec VPNs" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity..
•Create crypto map entries for IPSec.
For more information on creating crypto map entries, refer to the "Configuring Security for VPNs with IPsec" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity.
See the following sections for configuration tasks for the Distinguished Name Based Crypto Maps feature. Each task in the list is identified as either required or optional.
•Applying Identity to DN Based Crypto Maps (required)
•Verifying DN Based Crypto Maps (optional)
Configuring DN Based Crypto Maps (authenticated by DN)
To configure a DN based crypto map that can be used only by peers that have been authenticated by a DN, use the following commands beginning in global configuration mode:
Configuring DN Based Crypto Maps (authenticated by hostname)
To configure a DN based crypto map that can be used only by peers that have been authenticated by a hostname, use the following commands beginning in global configuration mode:
Applying Identity to DN Based Crypto Maps
To apply the identity (within the crypto map context), use the following commands beginning in global configuration mode:
Verifying DN Based Crypto Maps
To verify that this functionality is properly configured, use the following command in EXEC mode:
If an encrypting peer attempts to establish a connection that is blocked by the DN based crypto map configuration, the following error message will be logged:<time>: %CRYPTO-4-IKE_QUICKMODE_BAD_CERT: encrypted connection attempted with a peer without the configured certificate attributes.
This section provides the following configuration example:
DN Based Crypto Map Configuration Example
The following example shows how to configure DN based crypto maps that have been authenticated by DN and hostname. Comments are included inline to explain various commands.! DN based crypto maps require you to configure an IKE policy at each peer.crypto isakmp policy 15encryption 3deshash md5authentication rsa-siggroup 2lifetime 5000crypto isakmp policy 20authentication pre-sharelifetime 10000crypto isakmp key 1234567890 address 220.127.116.11!! The following is an IPSec crypto map (part of IPSec configuration). It can be used only! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.crypto map map-to-bigbiz 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-bigbiz!crypto identity to-bigbizdn ou=BigBiz!!! This crypto map can be used only by peers that have been authenticated by hostname! and if the certificate belongs to little.com.crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.com!
The following new commands are pertinent to this feature. To see the command pages for these commands and other commands used with this feature, go to the Cisco IOS Master Commands List at http://www.cisco.com/en/US/products/ps6441/products_product_indices_list.html.
For information about these commands, see the Cisco IOS Security Command Reference at
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009-2010 Cisco Systems, Inc. All rights reserved.