Easy VPN Remote RSA Signature Support

Last Updated: November 23, 2011

The Easy VPN Remote RSA Signature Support feature provides support for the Rivest, Shamir, and Adleman (RSA) signatures on Easy VPN remote devices. The support is provided through RSA certificates that can be stored on or off the remote devices.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Easy VPN Remote RSA Signature Support

  • You must have a Cisco Virtual Private Network (VPN) remote device and be familiar with configuring the device.
  • You must have a certification authority (CA) available to your network before you configure this interoperability feature. The CA must support the public key infrastructure (PKI) protocol of Cisco Systems, which is the Simple Certificate Enrollment Protocol (SCEP) (formerly called certificate enrollment protocol [CEP]).
  • You should be familiar with IP Security (IPsec) and PKI and with configuring RSA key pairs and CAs.

Restrictions for Easy VPN Remote RSA Signature Support

  • This feature should be configured only when you configure both IPsec and Internet Key Exchange (IKE) on your network.
  • Easy VPN does not support RSA signature and preshared key authentication at the same time. A router can have one or more RSA signature-authenticated Easy VPN tunnels or preshared key-authenticated Easy VPN tunnels. However, only tunnels with the same authentication method are up at any time.
  • Cisco IOS software does not support CA server public keys that are greater than 2048 bits.

Information About Easy VPN Remote RSA Signature Support

Easy VPN Remote RSA Signature Support Overview

The Easy VPN Remote RSA Signature Support feature allows you to configure RSA signatures on your Easy VPN remote device. The signatures can be stored on or off your remote device.

How to Configure Easy VPN Remote RSA Signature Support

Configuring Easy VPN Remote RSA Signature Support

To enable the RSA signatures, when you are configuring the Easy VPN remote and assigning the configuration to the outgoing interface, you must omit the group command. The content of the first Organizational Unit (OU) field will be used as the group. For information about configuring Cisco Easy VPN remote devices, refer to the Cisco Easy VPN Remote module.

Troubleshooting Easy VPN RSA Signature Support

To troubleshoot your Easy VPN remote RSA signature configuration, you can use the following debug commands. The debug commands can be used in any order or individually.

SUMMARY STEPS

1.    enable

2.    debug crypto ipsec client ezvpn

3.    debug crypto isakmp


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
debug crypto ipsec client ezvpn


Example:

Router# debug crypto ipsec client ezvpn

 

Displays information about the VPN tunnel as it relates to the Easy VPN remote configuration.

 
Step 3
debug crypto isakmp


Example:

Router# debug crypto isakmp

 

Displays messages about IKE events.

 

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Security commands

Cisco IOS Security Command Reference

Configuring Internet Key Exchange for IPsec VPNs

Configuring Internet Key Exchange for IPsec VPNs

Deploying RSA keys

Deploying RSA Keys Within a PKI

Certificate Authorities

  • Easy VPN Server
  • Cisco IOS PKI Overview: Understanding and Planning a PKI
  • Deploying RSA Keys Within a PKI
  • Configuring Certificate Enrollment for a PKI

Configuring a Cisco Easy VPN remote device

Cisco Easy VPN Remote

Standards

Standard

Title

None

--

MIBs

MIB

MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

None

--

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Easy VPN Remote RSA Signature Support

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Easy VPN Remote RSA Signature Support

Feature Name

Releases

Feature Information

Easy VPN Remote RSA Signature Support

12.3(7)T1 12.2(33)SRA 12.2(33)SXH

The Easy VPN Remote RSA Signature Support feature provides for the support of Rivest, Shamir, and Adleman (RSA) signatures on Easy VPN remote devices. The support is provided through RSA certificates that can be stored on or off the remote device.

The following sections provide information about this feature:

The following commands were introduced or modified: debug crypto ipsec client ezvpn, debug crypto isakmp.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2011 Cisco Systems, Inc. All rights reserved.