Chapter 37
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Figure 37-4
Certificate
authority
To add a new IPsec switch to the network, you need only configure that new switch to request a
certificate from the CA, instead of making multiple key configurations with all the other existing IPsec
switches.
How CA Certificates Are Used by IPsec Devices
When two IPsec switches want to exchange IPsec-protected traffic passing between them, they must first
authenticate each other—otherwise, IPsec protection cannot occur. The authentication is done with IKE.
IKE can use two methods to authenticate the switches, using preshared keys without a CA and using RSA
key-pairs with a CA. Both methods require that keys must be preconfigured between the two switches.
Without a CA, a switch authenticates itself to the remote switch using either RSA-encrypted preshared
keys.
With a CA, a switch authenticates itself to the remote switch by sending a certificate to the remote switch
and performing some public key cryptography. Each switch must send its own unique certificate that was
issued and validated by the CA. This process works because the certificate of each switch encapsulates
the public key of the switch, each certificate is authenticated by the CA, and all participating switches
recognize the CA as an authenticating authority. This scheme is called IKE with an RSA signature.
Your switch can continue sending its own certificate for multiple IPsec sessions, and to multiple IPsec
peers until the certificate expires. When the certificate expires, the switch administrator must obtain a
new one from the CA.
CAs can also revoke certificates for devices that will no longer participate in IPsec. Revoked certificates
are not recognized as valid by other IPsec devices. Revoked certificates are listed in a certificate
revocation list (CRL), which each peer may check before accepting a certificate from another peer.
Certificate support for IKE has the following considerations:
•
•
•
•
OL-18084-01, Cisco MDS NX-OS Release 4.x
Dynamically Authenticating Devices with a CA
The switch FQDN (host name and domain name) must be configured before installing certificates
for IKE.
Only those certificates that are configured for IKE or general usage are used by IKE.
The first IKE or general usage certificate configured on the switch is used as the default certificate
by IKE.
The default certificate is for all IKE peers unless the peer specifies another certificate.
IPsec Digital Certificate Support
Cisco MDS 9000 Family CLI Configuration Guide
37-9