Cisco ISR 4000 Family Routers Administrator Guidance
Page
36
of
66
4.
Configure an enrollment method:
enrollment [terminal, url
url
]
Device (ca-trustpoint)#
enrollment url
http://192.168.2.137:80
5.
Configure subject-name settings for the certificate:
subject-name
CN=
hostname.domain.com
,OU=
OU-name
Device (ca-trustpoint)#
s
ubject-name CN=asrTOE.cisco.com,OU=TAC
6.
Set revocation check method:
revocation-check crl
Device (ca-trustpoint)#
revocation-check crl
Device (ca-trustpoint)#
exit
7.
Create the certificate signing request:
crypto pki enroll
trustpoint-name
Device (config)#
crypto pki enroll ciscotest
4.6.4.2
Securely Connecting to a Certificate Authority for Certificate
Signing
The TOE must communicate with the CA for Certificate Signing over IPSEC. This
authentication will use pre-shared keys.
Following are sample instructions to configure the TOE to support an IPsec tunnel with aes
encryption, with 10.10.10.102 as the IPsec peer IP on the CA, 10.10.10.110 as the local TOE IP.
TOE-common-criteria#
configure terminal
TOE-common-criteria(config)#
crypto isakmp policy 1
TOE-common-criteria(config-isakmp)#
encryption aes
TOE-common-criteria(config-isakmp)#
authentication pre-share
TOE-common-criteria(config-isakmp)#
group 14
TOE-common-criteria(config-isakmp)#
lifetime 86400
TOE-common-criteria(config)#
crypto isakmp key [insert 22 character preshared key]
address 10.10.10.101
TOE-common-criteria(config)#
crypto ipsec transform-set sampleset esp-aes esp-sha-
hmac
TOE-common-criteria(cfg-crypto-trans)#
mode tunnel
TOE-common-criteria(config)#
crypto map sample 19 ipsec-isakmp
TOE-common-criteria(config-crypto-map)#
set peer 10.10.10.102
TOE-common-criteria(config-crypto-map)#
set transform-set sampleset
TOE-common-criteria(config-crypto-map)#
set pfs group14
TOE-common-criteria(config-crypto-map)#
match address 170
TOE-common-criteria(config-crypto-map)#
exit
TOE-common-criteria(config)#
interface g0/0
TOE-common-criteria(config-if)#
ip address 10.10.10.110 255.255.255.0
TOE-common-criteria(config-if)#
crypto map sample
TOE-common-criteria(config-if)#
exit
TOE-common-criteria(config)#
access-list 170 permit ip 10.10.10.0 0.255.255.255
10.10.10.0 0.255.255.255