06-24-2008 07:11 AM
Hi,
I am trying to set up a VPN from a Cisco 877 to an OpenSWAN. I have it working woth pre-shared keys, but would like to change over to using certificates instead.
My "CA" is openssl, and is *not* accessible via the network from the Cisco
box. However, I do have all the details it should require - an encrypted key
file, a password for that key, a certificate file for that key, and a file
containing the CA self-signed certificate.
The far end also has a working certificate based VPN with another device - so
I know that's right.
I am having difficulty setting up the Cisco. I *think* I am betting most of
the way there, with the following (starting from a working pre-shared-key VPN):
crypto key import rsa mykey pem terminal password
... paste key PEM ...
quit
... paste cert for that key PEM ...
quit
crypto pki trustpoint myca
subject C=GB, O=MyCompany, L=Here, OU=Unit, CN=Certificate Authority
revocation-check none
exit
crypti oki certificate chain myca
certificate ca (serial from cert)
... paste the output of openssl x509 -in cacert.pem ...
... from the XXX_certificate section ...
... removing comma's and "0x" ...
quit
exit
crypto key pubchain esa
named-key myca encryption
key-string
... paste the output of openssl x509 -in cacert.pem ...
... from the XXX_public_key section ...
... removing comma's and "0x" ...
quit
exit
exit
crypto isakmp policy 1
authentication rsa-sig
exit
no crypto isakmp key (PSK) address 1.1.1.1
crypto isakmp identity dn
exit
I use "debug crypto isakmp" and force the VPN up. I get a few interesting
lines:
*May 22 09:49:55.926: ISAKMP:(2006):Unable to get router cert or routerdoes not have a cert: needed to find DN!
*May 22 09:49:55.926: ISAKMP(0:2006): Unable to get our DN from cert, using my FQDN as identity
*May 22 09:49:55.930: ISAKMP (0:2006): no cert chain to send to peer
*May 22 09:49:55.930: ISAKMP (0:2006): peer did not specify issuer and no suitable profile found
What am I missing?
07-01-2008 09:59 AM
The Cisco 850 and Cisco 870 series routers support the creation of virtual private networks (VPNs).Two types of VPNs are supported-site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network.
Refer the following url for more info on configuring vpn on cisco 877:
07-02-2008 02:01 AM
Thank-you for your response, however that example, like almost all the others I have found, uses pre-share authentication. I can have a working VPN with pre-share security.
However, I will have far too many remote points for pre-share to be viable, so I am trying to get certificated VPNs working.
I have made some progress since the last email - I needed to define a trustpoint with "enrollment terminal pem" to get manual installation of certificates.
But, it still doesn't quite work - I am obviously missing the step which informs the 877 to *use* the cert/key pair I have added for that trustpoint to talk to a particular VPN.
07-09-2008 02:40 PM
You can set them to auto regenerate and auto reenroll...
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946c0.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801405ac.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: