Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze
Bronze

Certificates and "no-xauth" kludge

Hi!

Our router terminates several site-to-site IPSec tunnels (with

certificate-based auth) as well as remote VPN 3.x clients (certs + XAUTH)

on the same interface.

How can I tell the router not to challenge remote site routers for XAUTH?

"crypto isakmp key ... address ... no-xauth" works surprisingly well

for certificates, but does anybody know more elegant way?

Oleg Tipisov,

REDCENTER,

Moscow

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Certificates and "no-xauth" kludge

This is detailed in bug ID CSCdx48695, and as you found out, one of the workarounds (although it's not listed in this bug) is to add dummy "crypto isakmp key .... no-xauth" commands for each of the IPSec peers.

The bug workaround is as follows:

-----------------------------------------------------------------

Workaround:

When using PRE-SHARED Key, use the no xauth extension to the crypto isakmp key command.

e.g crypto isakmp key address

no-xauth

For Certificates or Encrypted nonces, you must use a crypto map for LAN to LAN and

another for Remote Access (xauth enabled). If physical interfaces are limited,

sub-interfaces can be used.

------------------------------------------------------------

So, I guess a "more elegant" way would be to create two different crypto maps, two sub-interfaces and use one for the client connections with Xauth, and one for the L2L connections with certs. If it were me, I'd stick with the kludge.

1 REPLY
Cisco Employee

Re: Certificates and "no-xauth" kludge

This is detailed in bug ID CSCdx48695, and as you found out, one of the workarounds (although it's not listed in this bug) is to add dummy "crypto isakmp key .... no-xauth" commands for each of the IPSec peers.

The bug workaround is as follows:

-----------------------------------------------------------------

Workaround:

When using PRE-SHARED Key, use the no xauth extension to the crypto isakmp key command.

e.g crypto isakmp key address

no-xauth

For Certificates or Encrypted nonces, you must use a crypto map for LAN to LAN and

another for Remote Access (xauth enabled). If physical interfaces are limited,

sub-interfaces can be used.

------------------------------------------------------------

So, I guess a "more elegant" way would be to create two different crypto maps, two sub-interfaces and use one for the client connections with Xauth, and one for the L2L connections with certs. If it were me, I'd stick with the kludge.

162
Views
0
Helpful
1
Replies
CreatePlease login to create content