Cisco ISR 4000 Family Routers Administrator Guidance
Page 35 of 66
Additional information regarding configuration of IPsec can be found in the [8]. The IPSEC
commands are dispersed within the Security Command References.
This functionality is available to the Privileged Administrator. Configuration of
VPN settings is restricted to the privileged administrator.
4.6.3 NAT Traversal
For successful NAT traversal over an IOS-XE NAT device for an IPsec connection between two
IOS-XE peers, the following configuration needs to be used (Also refer to Chapter 7 of [18])–
On an IOS NAT device (router between the IPsec endpoints):
config terminal
ip nat service list <ACL-number> ESP spi-match
access-list <ACL-number> permit <protocol> <local-range> <remote-range>
end
On each IOS peer (IPsec router endpoints):
config terminal
crypto ipsec nat-transparency spi-matching
end
4.6.4 X.509 Certificates
The TOE may be configured by the privileged administrators to use X.509v3 certificates to
authenticate IPsec peers. RSA certificates are supported.
Creation of these certificates and loading them on the TOE is covered in [9], and a portion of the
TOE configuration for use of these certificates follows below.
4.6.4.1 Creation of the Certificate Signing Request
The certificate signing request for the TOE will be created using the RSA or ECDSA key pair
and the domain name configured in Section 3.3.1 above.
In order for a certificate signing request to be generated, the TOE must be configured with a,
hostname and trustpoint.
1. Enter configure terminal mode:
Device # configure terminal
2. Specify the hostname: hostname name
Device(config)# hostname asrTOE
3. Configure the trustpoint: crypto pki trustpoint trustpoint-name
Device (config)#crypto pki trustpoint ciscotest