IPSec: ISAKMP RSA authentication Question


I need some help with the usage of RSA certificates in IPSec. The question what fields

are checked during ISAKMP rsa authentication (e.g. certificate subject and peer identity?)


I use very simple topology:


I try to establish an IPSec tunnel between R1 and R3 using for isakmp authentication
with RSA-signatures (default method). The certificates are issued by a forth router acting
as a pki server and are manually inserted in R1 and R3.

IPSec Communication is established correctly between R1 and R3. What I cannot
understand is that even when I change the R3 IP address from ->
and the hostname from R3 -> R33 (without getting a new certificate) still IPSec is still
correctly established!!!

-What does ISAKMP authentication when Certificates are used???

-What are the fields that each peer checks?

I would assume that the router extracts from the subject of his peer's certificate
the IP address or the fqdn. Then proceeds by checking to see if these values are

indeed equal with the identity supplied by the Peer.
(unfortunately it did not  work as I expected in my case)

The crypto related config for the routers is:


ip domain name ssl.com
ip host R3.ssl.com

crypto pki trustpoint CA_ROOT
 enrollment terminal
 usage ike
 serial-number none
 subject-name C=US, O=ssl.com, OU=bull
 revocation-check none

crypto isakmp policy 10
 hash md5

crypto ipsec transform-set myset esp-null esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
 set transform-set myset
 match address 102
 set peer (after the change)


ip domain name ssl.com
ip host R1.ssl.com

crypto pki trustpoint CA_ROOT
 enrollment terminal
 usage ike
 serial-number none
 subject-name C=US, O=ssl.com, OU=bull
 revocation-check none

crypto isakmp policy 10
 hash md5

crypto ipsec transform-set myset esp-null esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
 set peer
 set transform-set myset
 match address 102

The certificate in R3 remains the same with subject:

    Name: R3.ssl.com
    IP Address:

Any help is wellcomed!!!


  • Hello again


    The only way I managed to make the previous setup work as I expected, namely


    -Successfull IPsec connectity initialy

    -Lack of connectivity when the IP or the hostname of R3 changed (without getting a new certificate)


    was by using a certificate map in R1. That map defined the expected subject of the peer's certificate.


    Is this the way that certificate based authentication is supposed to work?


    When ISAKMP used rsa-signatures for authentication should both peers employ certificate maps

    to verify that indeed the identity described in subject of the supplied certificates matches the identities

    of the peers??




  • If you are using X.509 certs for authentication, then the router will acept any peer with "trusted" certificate. Here trusted means

    1) We can track the certificate trust chain down to a trusted CA

    2) The certificate is not revoked when we check at CRL

    Also, when used with ezVPN, IOS will match the "ou" field (by default) against the configured group names to find the proper configuration.

    If you need more granular control, use certificate-based ACLs (like you did):



  • ? ? ???? ????? ?????? ? ???, ????!

    ?? ????????????? ?? ???????

    ??? ??? ??????????, ??? ????????? ?????? ?? ?????? ??????????, ????, ???? :)) ??? ???????? :))
    ??? ????

    ?????? ??? ???? ????? 4-??????? R&S ????. ???????? ????? :)) B ?????? 4 ??IE - ??? ???????. ???????? ??? ??????? :)))



  • Sorry for my late reply

    First thanx for your answer Petr what you said is consistent with the behaviour I have seen in my setup.

    As this is one of my first attempts to play around with CA signatures in IPSec so I want to make sure that

    I got it right.

    If a router tries to establish a isakmp-sa with another peer and the X.509 it recieves is trusted it considers

    the authentication successful (does not proceed to  check to see if the identity provided by the peer matches

    the subject of the certificate that this peer provides)


    So if we want to establish a VPN only with a specific peer we must employ other mechanisms like identity maps?



    I am asking because I have read in the book "Cisco Press Comparing, Designing, and Deploying VPNs" ,

    chapter 6 that if an IP-address is included in a certificate and this ip address changes, the authentication

    will fail. (This was not what I observed in my case that's why I am writing)



Sign In or Register to comment.