cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
914
Views
0
Helpful
3
Replies

Certificate-based VPNs with pre-calculated keys and certs

jarrod
Level 1
Level 1

Hi,

I am trying to set up a VPN from a Cisco 877 to an OpenSWAN. I have it working woth pre-shared keys, but would like to change over to using certificates instead.

My "CA" is openssl, and is *not* accessible via the network from the Cisco

box. However, I do have all the details it should require - an encrypted key

file, a password for that key, a certificate file for that key, and a file

containing the CA self-signed certificate.

The far end also has a working certificate based VPN with another device - so

I know that's right.

I am having difficulty setting up the Cisco. I *think* I am betting most of

the way there, with the following (starting from a working pre-shared-key VPN):

crypto key import rsa mykey pem terminal password

... paste key PEM ...

quit

... paste cert for that key PEM ...

quit

crypto pki trustpoint myca

subject C=GB, O=MyCompany, L=Here, OU=Unit, CN=Certificate Authority

revocation-check none

exit

crypti oki certificate chain myca

certificate ca (serial from cert)

... paste the output of openssl x509 -in cacert.pem ...

... from the XXX_certificate section ...

... removing comma's and "0x" ...

quit

exit

crypto key pubchain esa

named-key myca encryption

key-string

... paste the output of openssl x509 -in cacert.pem ...

... from the XXX_public_key section ...

... removing comma's and "0x" ...

quit

exit

exit

crypto isakmp policy 1

authentication rsa-sig

exit

no crypto isakmp key (PSK) address 1.1.1.1

crypto isakmp identity dn

exit

I use "debug crypto isakmp" and force the VPN up. I get a few interesting

lines:

*May 22 09:49:55.926: ISAKMP:(2006):Unable to get router cert or routerdoes not have a cert: needed to find DN!

*May 22 09:49:55.926: ISAKMP(0:2006): Unable to get our DN from cert, using my FQDN as identity

*May 22 09:49:55.930: ISAKMP (0:2006): no cert chain to send to peer

*May 22 09:49:55.930: ISAKMP (0:2006): peer did not specify issuer and no suitable profile found

What am I missing?

3 Replies 3

hadbou
Level 5
Level 5

The Cisco 850 and Cisco 870 series routers support the creation of virtual private networks (VPNs).Two types of VPNs are supported-site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network.

Refer the following url for more info on configuring vpn on cisco 877:

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/vpngre.html#wp999287

Thank-you for your response, however that example, like almost all the others I have found, uses pre-share authentication. I can have a working VPN with pre-share security.

However, I will have far too many remote points for pre-share to be viable, so I am trying to get certificated VPNs working.

I have made some progress since the last email - I needed to define a trustpoint with "enrollment terminal pem" to get manual installation of certificates.

But, it still doesn't quite work - I am obviously missing the step which informs the 877 to *use* the cert/key pair I have added for that trustpoint to talk to a particular VPN.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: