IPSec: ISAKMP RSA-SIG authentication Question

victor.lyapunov · ‎12-02-2008

Hello

I need some help with the usage of RSA certificates in IPSec. The is question what fields are checked during ISAKMP rsa authentication (e.g. certificate subject and peer identity?)

I use very simple topology:

R1(10.0.12.1)<------>(10.0.12.2)R2(10.0.23.2)<--------->(10.0.23.3)R3

I try to establish an IPSec tunnel between R1 and R3 using for isakmp authentication with RSA-signatures (default method). The certificates are issued by a forth router acting

as a pki server and are manually inserted in R1 and R3.

IPSec Communication is established correctly between R1 and R3. What I cannot understand is that even when I change the R3 IP address from 10.0.23.3 -> 10.0.23.33 and the hostname from R3 -> R33 (without getting a new certificate) still IPSec is still

correctly established!!!

-What does ISAKMP authentication when Certificates are used???

-What are the fields that each peer checks?

I would assume that the router extracts from the subject of his peer's certificate the IP address or the fqdn. Then proceeds by checking to see if these values are indeed equal with the identity supplied by the Peer.

(unfortunately it did not work as I expected in my case)

The crypto related config for the routers is:

R1

=========================

ip domain name ssl.com

ip host R3.ssl.com 10.0.23.3

crypto pki trustpoint CA_ROOT

enrollment terminal

usage ike

serial-number none

ip-address 10.0.12.1

subject-name C=US, O=ssl.com, OU=bull

revocation-check none

crypto isakmp policy 10

hash md5

crypto ipsec transform-set myset esp-null esp-md5-hmac

!

crypto map vpn 10 ipsec-isakmp

set transform-set myset

match address 102

set peer 10.0.23.33 (after the change)

R3

===========================

ip domain name ssl.com

ip host R1.ssl.com 10.0.12.1

crypto pki trustpoint CA_ROOT

enrollment terminal

usage ike

serial-number none

ip-address 10.0.23.3

subject-name C=US, O=ssl.com, OU=bull

revocation-check none

crypto isakmp policy 10

hash md5

crypto ipsec transform-set myset esp-null esp-md5-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 10.0.12.1

set transform-set myset

match address 102

The certificate in R3 remains the same with subject:

Subject:

Name: R3.ssl.com

IP Address: 10.0.23.3

ipaddress=10.0.23.3+hostname=R3.ssl.com

c=US

o=ssl.com

ou=bull

P.S.

The only way I managed to make the previous setup work as I was expected (Successfull IPsec connectity initialy - Loss of connectivity when the IP or the hostname of R3 changed - without getting a new certificate)

was by using a certificate map in R1. That map defined the expected subject of the peer's certificate.

Is this the way that certificate based authentication is supposed to work?

When ISAKMP used rsa-signatures for authentication should both peers employ certificate maps

to verify that indeed the identity described in subject of the supplied certificates matches the identities

of the peers??

Report Inappropriate Content · ‎12-08-2008

To configure ISAKMP policies, in global configuration mode, use the crypto isakmp policy command with its various arguments. The syntax for ISAKMP policy commands is as follows:

crypto isakmp policy priority attribute_name [attribute_value | integer]

You must include the priority in each of the ISAKMP commands. The priority number uniquely identifies the policy, and determines the priority of the policy in ISAKMP negotiations.

To enable and configure ISAKMP, complete the steps in the below URL:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1042302

roeeshimrit · ‎09-10-2013

Hi

I am trying a similiar scenario,

I am trying to create ipsec tunnel between 2 routers and third router is the CA server .

After I receive the certificates ping fail betweenn 2 routers .

Can you send me working configuration ?

tx

Roee