This post describes the steps to configure certificate authentication for a VPN on a Cisco IOS-XE router.
Configuration
The certificates in this FlexVPN lab are signed by the CA called lab-PKI-CA
- Run the command show crypto pki certificates to identify the issuer, in this instance lab-PKI-CA
- Create a certificate map to match the name of the root certificate issuer-name
crypto pki certificate map CERT_MAP 5 issuer-name co lab-pki-ca
Configure the IKEv2 Profile to match the peers certificate issued by the CA defined in the Certificate map, specify the authentication local and remote to be rsa-sig, specify the local identity as the local router’s dn and identify the local trustpoint.
crypto ikev2 profile IKEV2_PROFILE match certificate CERT_MAP identity local dn authentication local rsa-sig authentication remote rsa-sig pki trustpoint LAB_PKI
- If you already have a tunnel up using PSK authentication, bounce the tunnel.
- Run the command show crypto ike sa detailed to confirm IKEv2 sa have been established and authenticated using an rsa certificate
Full Configuration
IKEv2 smart defaults have been used, which is why no IKEv2 proposal appears in the running configuration. Refer to this post for information about IKEv2 smart defaults
crypto pki trustpoint LAB_PKI enrollment terminal serial-number none fqdn CSR2.lab.net ip-address none subject-name OU=IT,O=LAB,ST=London,C=GB revocation-check none rsakeypair VPN_KEY auto-enroll 30 regenerate ! crypto pki certificate map CERT_MAP 5 issuer-name co lab-pki-ca ! crypto ikev2 profile IKEV2_PROFILE match certificate CERT_MAP identity local dn authentication local rsa-sig authentication remote pre-share authentication remote rsa-sig pki trustpoint LAB_PKI lifetime 12800 dpd 10 3 periodic ! crypto ipsec profile IPSEC_PROFILE set ikev2-profile IKEV2_PROFILE ! interface Loopback0 ip address 172.21.0.2 255.255.255.255 ! interface Tunnel1 ip unnumbered Loopback0 tunnel source GigabitEthernet1 tunnel destination 1.1.1.1 tunnel protection ipsec profile IPSEC_PROFILE