Distinguished Name Based Crypto Maps


First Published: May 5, 2008
Last Updated: July 31, 2009

The Distinguished Name Based Crypto Maps feature allows you to set restrictions in the router configuration that prevent peers with specific certificates—especially certificates with particular DNs— from having access to selected encrypted interfaces.

Finding Feature Information

For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Distinguished Name Based Crypto Maps" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.

Contents

Prerequisites for Distinguished Name Based Crypto Maps

Restrictions for Distinguished Name Based Crypto Maps

Information About Distinguished Name Based Crypto Maps

How to Configure Distinguished Name Based Crypto Maps

Configuration Examples for Distinguished Name Based Crypto Maps

Additional References

Feature Information for Distinguished Name Based Crypto Maps

Prerequisites for Distinguished Name Based Crypto Maps

Before configuring a distinguished name (DN) based crypto map, you must perform the following tasks:

Create an Internet Key Exchange (IKE) policy at each peer.

For more information on creating IKE policies and crypto map entries, refer to Configuring Internet Key Exchange for IPsec VPNs.

Restrictions for Distinguished Name Based Crypto Maps

System Requirements

To configure this feature, your router must support IP Security (IPsec).

Performance Impact

If you restrict access to a large number of DNs, it is recommended that you specify a few number of crypto maps referring to large identity sections instead of specifying a large number of crypto maps referring to small identity sections.

Information About Distinguished Name Based Crypto Maps

To configure the Distinguished Name Based Crypto Maps feature, you should understand the following concepts:

Feature Overview

Feature Overview

The Distinguished Name Based Crypto Maps feature allows you to configure the router to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular Distinguished Names (DNs).

This feature allows you to configure which crypto maps are usable to a peer based on the DN that a peer used to authenticate itself, thereby enabling you to control which encrypted interfaces a peer with a specified DN can access.

How to Configure Distinguished Name Based Crypto Maps

This section contains the following tasks. Each task in the list is identified as either required or optional.

Configuring DN Based Crypto Maps (authenticated by DN) (required)

Configuring DN Based Crypto Maps (authenticated by hostname) (required)

Applying Identity to DN Based Crypto Maps (required)

Verifying DN Based Crypto Maps (optional)

Configuring DN Based Crypto Maps (authenticated by DN)

To configure a DN based crypto map that can be used only by peers that have been authenticated by a DN, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto identity name

4. dn name=string [,name=string]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto identity name

Example:

Router (config)# crypto identity sample-com

Configures the identity of a router with the given list of DNs in the certificate of the router and enters crypto identity configuration mode.

Step 4 

dn name=string [,name=string]

Example:

Router(crypto-identity)# dn ou=mystring

Associates the identity of the router with the DN in the certificate of the router.

The identity of the peer must match the identity in the exchanged certificate.

Configuring DN Based Crypto Maps (authenticated by hostname)

To configure a DN based crypto map that can be used only by peers that have been authenticated by a hostname, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto identity name

4. fqdn name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto identity name

Example:

Router (config)# crypto identity sample-com

Configures the identity of a router with the given list of DNs in the certificate of the router and enters crypto identity configuration mode.

Step 4 

fqdn name

Example:

Router (crypto-identity)# fqdn sample.com

Associates the identity of the router with the hostname that the peer used to authenticate itself.

Note The identity of the peer must match the identity in the exchanged certificate.

Applying Identity to DN Based Crypto Maps

To apply the identity (within the crypto map context), perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto map map-name seq-num ipsec-isakmp

4. set identity name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto map map-name seq-num ipsec-isakmp

Example:

Router (config)# crypto map mymap 10 ipsec-isakmp

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

Step 4 

set identity name

Example:

Router (config-crypto-map)# set identity sample-com

Applies the identity to the crypto map.

When this command is applied, only the hosts that match a configuration listed within the set identity name can use the specified crypto map.

If the set identity command does not appear within the crypto map, the encrypted connection does not have any restrictions other than the IP address of the encrypting peer.

]

Verifying DN Based Crypto Maps

To verify that this functionality is properly configured, perform the following steps.

SUMMARY STEPS

1. enable

2. show crypto identity

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show crypto identity

Example:

Router# show crypto identity

Displays the configured identities.

Troubleshooting Tips

If an encrypting peer attempts to establish a connection that is blocked by the DN based crypto map configuration, the following error message will be logged:

<time>: %CRYPTO-4-IKE_QUICKMODE_BAD_CERT: encrypted connection attempted with a peer 
without the configured certificate attributes.

Configuration Examples for Distinguished Name Based Crypto Maps

This section provides the following configuration example:

DN Based Crypto Map Configuration: Example

DN Based Crypto Map Configuration: Example

The following example shows how to configure DN based crypto maps that have been authenticated by DN and hostname. Comments are included inline to explain various commands.

! DN based crypto maps require you to configure an IKE policy at each peer.
crypto isakmp policy 15
 encryption 3des
 hash md5
 authentication rsa-sig
 group 2
 lifetime 5000
crypto isakmp policy 20
 authentication pre-share
 lifetime 10000
crypto isakmp key 1234567890 address 172.31.224.33
!
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only 
! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.
crypto map map-to-bigbiz 10 ipsec-isakmp
 set peer 172.21.114.196
 set transform-set my-transformset
 set identity to-bigbiz
 match address 124
!
crypto identity to-bigbiz
 dn ou=BigBiz
!
!
! This crypto map can be used only by peers that have been authenticated by hostname
! and if the certificate belongs to little.com.
crypto map map-to-little-com 10 ipsec-isakmp
 set peer 172.21.115.119
 set transform-set my-transformset 
 match address 125
 identity to-little-com
!
crypto identity to-little-com
 fqdn little.com
!

Additional References

Related Documents

Related Topic
Document Title

Internet Key Exchange and IPsec

Configuring Internet Key Exchange for IPsec VPNs

Security commands

Cisco IOS Security Command Reference


Standards

Standard
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Distinguished Name Based Crypto Maps

Table 1 lists the release history for this feature.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.


Table 1 Feature Information for Distinguished Name Based Crypto Maps

Feature Name
Releases
Feature Information

Distinguished Name Based Crypto Maps

Cisco IOS XE Release 2.1

This feature allows you to configure the router to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular Distinguished Names (DNs).

The following commands were introduced or modified: crypto identity, dn, fqdn, and identity.