Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
1
Helpful
7
Replies

FlexVPN with certificate issued by 2 different internal PKI

Dyl8n
Level 1
Level 1

‎04-09-2024 04:19 PM

Hi,

We are in transition period migrating from one internal PKI to a new Internal PKI.  Existing flexvpns are setup with certificate from the old PKI CA for IKEv2 tunnel protocol.  We're bringing online a new flexvpn that has the certificate issued by the new PKI.  Is there a way to add CA chain from both PKI to the flexvpns so both certificates are trusted to establish IPSec?

Thanks in advance

D

Labels:
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎04-09-2024 04:28 PM

Under same profile using two trust points' I dont think it work 

But 

Two different profile' each one match remote specific DN/CN or issuer' and each profile use it trust point 

This I think work

MHM

0 Helpful

Dyl8n
Level 1
Level 1

‎04-09-2024 04:32 PM

Do you mean create two profiles on each flexvpn?  Do you have an example config I can reference?

0 Helpful

Georg Pauwen
VIP
VIP
In response to Dyl8n

‎04-10-2024 08:54 AM

Hello,

I think you can configure your Cisco FlexVPN to trust certificates from multiple Certificate Authorities (CAs), allowing it to establish IPSec tunnels using certificates issued by either the old or new PKI, following the procedure below:

1. **Import CA Certificates**: First, you need to import the root CA certificates from both the old and new PKI into your Cisco FlexVPN device. You can usually do this by uploading the CA certificates to the device's certificate store.

2. **Configure Trustpoints**: Next, you'll need to configure trustpoints on your Cisco FlexVPN device for each CA certificate. This involves creating a trustpoint for each CA certificate and specifying the CA certificate's parameters.

crypto pki trustpoint OLD_PKI_CA
enrollment terminal
revocation-check none
rsakeypair MY_KEYPAIR
hash SHA256
rsakeypair TP-self-signed-1221183555
!
crypto pki certificate chain OLD_PKI_CA
certificate ca 01
<old_PKI_CA_certificate>


crypto pki trustpoint NEW_PKI_CA
enrollment terminal
revocation-check none
rsakeypair MY_KEYPAIR
hash SHA256
rsakeypair TP-self-signed-1221183555
!
crypto pki certificate chain NEW_PKI_CA
certificate ca 01
<new_PKI_CA_certificate>

3. **Associate Trustpoints with IKEv2 Profiles**: After configuring trustpoints for both CA certificates, you'll associate each trustpoint with the IKEv2 profiles used for your FlexVPN configurations. This tells the FlexVPN device to trust certificates issued by either CA when establishing IPSec tunnels.


crypto ikev2 profile IKEV2_PROFILE_OLD_PKI
match identity remote address <remote_peer_address>
identity local fqdn <local_FQDN>
authentication local rsa-sig
authentication remote rsa-sig
certificate local chain OLD_PKI_CA
aaa authorization group psk list PSK_LIST
virtual-template 1


crypto ikev2 profile IKEV2_PROFILE_NEW_PKI
match identity remote address <remote_peer_address>
identity local fqdn <local_FQDN>
authentication local rsa-sig
authentication remote rsa-sig
certificate local chain NEW_PKI_CA
aaa authorization group psk list PSK_LIST
virtual-template 1

By configuring trustpoints for both CA certificates and associating them with the appropriate IKEv2 profiles, your Cisco FlexVPN device will trust certificates issued by either the old or new PKI, allowing IPSec tunnels to be established using certificates from both PKIs during the migration period.

0 Helpful

MHM Cisco World
VIP
VIP

‎04-10-2024 09:40 AM 

crypto pki certificate map CERT_MAP1 5
 issuer-name co <name of issuer>

 

match certificate CERT_MAP1

 under crypto ikev2 profile CA1 

Repeat this for second profile.

Hope this help you 

Goodluck 

MHM

 

0 Helpful

Dyl8n
Level 1
Level 1

‎04-10-2024 09:46 AM

Thank you both.  We'll give the profiles a try.

Dyl8n
Level 1
Level 1

‎04-10-2024 10:18 AM

Can you provide guidance on ipsec profile? Ipsec profile is applied to the static tunnels and virtual template, it can only associate with one ikev2 profile. Is the suggested method for the spoke router configuration, i.e. create two different ikev2 profiles, associate old & new certs with them, tied the ikev2 profiles with two different ipsec profiles and then apply the respective ipsec profile to two different static tunnels. If that is the case, we can't do it on the hub routers because they use virtual template which is the dynamic tunnel for all spoke incoming connections.

We define router identify cert as the trustpoint in the ikev2 profile, it is used for certificate authentication. I’ve tried adding new or old root CA as the additional trustpoint in the ikev2 profile on both spoke (AMD) and MND (hub), it had not effect. We cannot remove router identity trustpoint and leave root CA trustpoint there because router identity trustpoint is configured on all spokes and other hubs, removing it will break all connections. Using root CA as the trustpoint also breaks the purpose of using router identity cert for cert authentication….

0 Helpful

Georg Pauwen
VIP
VIP
In response to Dyl8n

‎04-14-2024 06:03 AM

Hello,

post the current running configs of your hub routers and one spoke router.

0 Helpful
Customers Also Viewed These Support Documents