Page 36 of 72
4.6.3 NAT Traversal
For successful NAT traversal over an IOS-XE NAT device for an IPsec connection between two
IOS-XE peers, the following configuration needs to be used (Also refer to Chapter 7 of [21])–
On an IOS NAT device (router between the IPsec endpoints):
config terminal
ip nat service list <ACL-number> ESP spi-match
access-list <ACL-number> permit <protocol> <local-range> <remote-range>
end
On each IOS peer (IPsec router endpoints):
config terminal
crypto ipsec nat-transparency spi-matching
end
4.6.4 X.509 Certificates
The TOE may be configured by the privileged administrators to use X.509v3 certificates to
authenticate IPsec peers. Both RSA and ECDSA certificates are supported. Creation of these
certificates and loading them on the TOE is covered in the section – “How to Configure
Certificate Enrollment for a PKI” in [22], and a portion of the TOE configuration for use of these
certificates follows below.
4.6.4.1 Creation of the Certificate Signing Request
The certificate signing request for the TOE will be created using the RSA or ECDSA key pair
and the domain name configured in Section 3.3.1 above.
In order for a certificate signing request to be generated, the TOE must be configured with a,
hostname and trustpoint.
1. Enter configure terminal mode:
Device # configure terminal
2. Specify the hostname: hostname name
Device(config)# hostname asrTOE
3. Configure the trustpoint: crypto pki trustpoint trustpoint-name
Device (config)#crypto pki trustpoint ciscotest
4. Configure an enrollment method: enrollment [terminal, url url]
Device (ca-trustpoint)#enrollment url http://192.168.2.137:80
To Next Page
Loading...
Need help?
General
Weight and Dimensions
