- Overview of Secure Connectivity
-
- Implementing and Managing PKI Features Roadmap
- Overview of PKI
- Deploying RSA Keys Within a PKI
- Configuring Authorization and Revocation of Certificates in a PKI
- Configuring Certificate Enrollment for a PKI
- Storing PKI Credentials
- Source Interface Selection for Outgoing Traffic with Certificate Authority
- Cisco Group Encrypted Transport VPN
Cisco IOS XE Security Configuration Guide: Secure Connectivity, Release 2
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- May 5, 2009
Chapter: Distinguished Name Based Crypto Maps
- Finding Feature Information
- Contents
- Prerequisites for Distinguished Name Based Crypto Maps
- Restrictions for Distinguished Name Based Crypto Maps
- Information About Distinguished Name Based Crypto Maps
- How to Configure Distinguished Name Based Crypto Maps
- Configuration Examples for Distinguished Name Based Crypto Maps
- Additional References
- Feature Information for Distinguished Name Based Crypto Maps
Distinguished Name Based Crypto Maps
The Distinguished Name Based Crypto Maps feature allows you to set restrictions in the router configuration that prevent peers with specific certificates—especially certificates with particular DNs— from having access to selected encrypted interfaces.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Distinguished Name Based Crypto Maps" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
Prerequisites for Distinguished Name Based Crypto Maps
•Restrictions for Distinguished Name Based Crypto Maps
•Information About Distinguished Name Based Crypto Maps
•How to Configure Distinguished Name Based Crypto Maps
•Configuration Examples for Distinguished Name Based Crypto Maps
•Feature Information for Distinguished Name Based Crypto Maps
Prerequisites for Distinguished Name Based Crypto Maps
Before configuring a distinguished name (DN) based crypto map, you must perform the following tasks:
•Create an Internet Key Exchange (IKE) policy at each peer.
For more information on creating IKE policies and crypto map entries, refer to Configuring Internet Key Exchange for IPsec VPNs.
Restrictions for Distinguished Name Based Crypto Maps
System Requirements
To configure this feature, your router must support IP Security (IPsec).
Performance Impact
If you restrict access to a large number of DNs, it is recommended that you specify a few number of crypto maps referring to large identity sections instead of specifying a large number of crypto maps referring to small identity sections.
Information About Distinguished Name Based Crypto Maps
To configure the Distinguished Name Based Crypto Maps feature, you should understand the following concepts:
Feature Overview
The Distinguished Name Based Crypto Maps feature allows you to configure the router to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular Distinguished Names (DNs).
This feature allows you to configure which crypto maps are usable to a peer based on the DN that a peer used to authenticate itself, thereby enabling you to control which encrypted interfaces a peer with a specified DN can access.
How to Configure Distinguished Name Based Crypto Maps
This section contains the following tasks. Each task in the list is identified as either required or optional.
•Configuring DN Based Crypto Maps (authenticated by DN) (required)
•Configuring DN Based Crypto Maps (authenticated by hostname) (required)
•Applying Identity to DN Based Crypto Maps (required)
•Verifying DN Based Crypto Maps (optional)
Configuring DN Based Crypto Maps (authenticated by DN)
To configure a DN based crypto map that can be used only by peers that have been authenticated by a DN, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto identity name
4. dn name=string [,name=string]
DETAILED STEPS
Configuring DN Based Crypto Maps (authenticated by hostname)
To configure a DN based crypto map that can be used only by peers that have been authenticated by a hostname, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto identity name
4. fqdn name
DETAILED STEPS
Applying Identity to DN Based Crypto Maps
To apply the identity (within the crypto map context), perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto map map-name seq-num ipsec-isakmp
4. set identity name
DETAILED STEPS
]
Verifying DN Based Crypto Maps
To verify that this functionality is properly configured, perform the following steps.
SUMMARY STEPS
1. enable
2. show crypto identity
DETAILED STEPS
Troubleshooting Tips
If an encrypting peer attempts to establish a connection that is blocked by the DN based crypto map configuration, the following error message will be logged:
<time>: %CRYPTO-4-IKE_QUICKMODE_BAD_CERT: encrypted connection attempted with a peer without the configured certificate attributes.
Configuration Examples for Distinguished Name Based Crypto Maps
This section provides the following configuration example:
•DN Based Crypto Map Configuration: Example
DN Based Crypto Map Configuration: Example
The following example shows how to configure DN based crypto maps that have been authenticated by DN and hostname. Comments are included inline to explain various commands.
! DN based crypto maps require you to configure an IKE policy at each peer.
crypto isakmp policy 15
encryption 3des
hash md5
authentication rsa-sig
group 2
lifetime 5000
crypto isakmp policy 20
authentication pre-share
lifetime 10000
crypto isakmp key 1234567890 address 172.31.224.33
!
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only
! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.
crypto map map-to-bigbiz 10 ipsec-isakmp
set peer 172.21.114.196
set transform-set my-transformset
set identity to-bigbiz
match address 124
!
crypto identity to-bigbiz
dn ou=BigBiz
!
!
! This crypto map can be used only by peers that have been authenticated by hostname
! and if the certificate belongs to little.com.
crypto map map-to-little-com 10 ipsec-isakmp
set peer 172.21.115.119
set transform-set my-transformset
match address 125
identity to-little-com
!
crypto identity to-little-com
fqdn little.com
!
Additional References
Related Documents
|
|
|
|---|---|
Internet Key Exchange and IPsec |
|
Security commands |
Standards
|
|
|
|---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
RFCs
|
|
|
|---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
— |
Technical Assistance
Feature Information for Distinguished Name Based Crypto Maps
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
Feedback