IPsec deprecated commands

These commands are deprecated. You can still use them to generate certificates, but they are not supported any longer and may be removed without prior notice.

Defining identity parameters

Using X509 certificates requires defining Turbo IPsec identity. Using pre-shared keys does not require identity. Different identities may be defined on a single Turbo IPsec. Each one is defined by a name. the configuration commands for defining identity parameters have to be entered in the root context.

To set up an identity or enter an existing identity context, use the following command:

router{}id idname

Once the command id entered, the CLI enters an interactive mode to define the different parameters of the identity. Another way to define an identity is to enter an id command with all parameters on a single line.

The parameters to be configured are:

idname
Name for the identity parameters.
fqdn
(Fully Qualified Domain Name) is the DNS name that will be used as IKE FQDN identifier and defined as DNS SubjectAltName extension in certificates.
user-fqdn
(User Fully Qualified Domain Name) is the email address that will be used as IKE user-fqdn identifier and defined as email SubjectAltName extension in certificates.
country, state, locality, organization, unit, commonname, and email
Are respectively the C, ST, L, O, OU, CN and E sub-fields of the ASN.1 Distinguished Name that will be used as IKE Distinguished Name identifier and defined as the Subject field in certificates. It is mandatory to define at least one of these fields to use certificates (typically the commonname should be defined). It is useless to define the Distinguished Name when only using pre-shared key based VPNs.

If the parameter value includes blank characters, it has to be entered between quotes. You can assign a parameter value or choose to let this parameter undefined using the none value. The none value is the default one.

It is mandatory to define the Distinguished Name to create certificates, and highly recommended to define at least fqdn for use with pre-shared keys.

The list of available identities can be displayed using the following command:

router{}display id

Example

The following example shows how it can be done using the interactive and non-interactive methods.

router{}id myidentity 6OS.6wind.net admin.6OS@6wind.fr FR none Paris "6WIND SA" "Test unit" "Technical Team" test_unit.6OS@6wind.fr

router{}id myidentity
enter exit to abort the command
enter fqdn (a string or 'none')[none]: 6OS.6wind.net
enter user-fqdn ( a string or 'none')[none]: admin.6OS@6wind.fr
enter country ( a string or 'none')[none]: FR
enter state ( a string or 'none')[none]:
enter locality ( a string or 'none')[none]: Paris
enter organization ( a string or 'none')[none]: "6WIND SA"
enter unit ( a string or 'none')[none]: "Test unit"
enter commonname ( a string or 'none')[none]: "Technical Team"
enter email ( a string or 'none')[none]: test_unit.6OS@6wind.fr
router{}

Generating and importing certificates

To configure a certificate, Turbo IPsec must interface to a third party PKI. Turbo IPsec uses standard file transfer protocols to send certificate requests and import certificates from the third party certificate generator tool.

Transferring, installing and uninstalling certificates on a device are done at the root level. As Turbo IPsec instances may belong to different communities, several certificates can be installed. Conversely, different configurations may use the same certificate.

At the configuration level, the identity to be used and the CAs to be trusted will be defined. the vpn command will specify the right certificate to be used by indicating which CA the VPN depends on.

Caution

When using certificates, the user has to pay attention to the validity date of the certificate and the current Turbo IPsec date and time configuration.

Installing and uninstalling CA certificates and certificates

Turbo IPsec needs identity information to be recognized by the CA and other IPsec devices.

Three identifier types are supported:

a DNS name (also called FQDN in IKE protocol)

an email address (also called user-fqdn in IKE protocol)

an ASN.1 Distinguished Name

The configuration of a new certificate proceeds as follows:

  1. First of all, a CA (Certification Authority) must be defined using the following command:
router{}ca CANAME CAURL
CANAME
Identifies the Certification Authority name.
CAURL
Defines the Certification Authority URL.
  1. Installing a CA certificate is done using the following command:
router{}import ca-cert (all|CANAME) [FILENAME]

The CA certificate will be loaded using the URL mentioned in the ca caname command. CANAME is the CA certificate file to be imported. If the remote file name is omitted, Turbo IPsec imports the CANAME.cer file.

When the command has been successfully executed, a new CA certificate appears in the certificate list managed by Turbo IPsec. This can be verified using the following command:

router{}display ca-cert
  1. To get a certificate, Turbo IPsec has to generate a key pair and a certificate
    request to the CA.
router{}cert-req idname caname

This command generates two files, one including the private key and the second one the certificate request. The certificate request file is named idname@caname.req.

The request file must then be transferred to the appropriate CA using an export command on the CA remote host.

router{}export cert-req idname caname [certreqremotename]

An export cert-req exports a certificate request file to the certification authority previously defined with the ca command. If the remote certificate file name is not specified, it will be exported with name idname.cer.

The list of available certificate requests can be displayed using the following command:

router{}display cert-req
  1. Once the certificate tool has received Turbo IPsec request, it has all the information to generate the certificate. See the tool documentation you are using to generate a certificate at the PEM format.
  2. Then, the generated certificate must be loaded on Turbo IPsec. The certificate must be loaded using the command:
router{}import cert idname caname [certremotename]

idname defines the identity name.

caname identifies the CA name.

certremotename is the certificate file to be imported.

When the command has been successfully executed, a new certificate appears in the certificate list managed in Turbo IPsec. This can be verified using the following command:

router{}display cert
  1. To make the certificate usable by a configuration, an identity and a trusted CA have to be chosen using the two following commands entered in the sec context of a configuration.
router{conf:myconfig-sec}ike_id idname
router{conf:myconfig-sec}trust caname

Note

Be sure that the CA certificate corresponding to the trusted CA name has been imported (cf. #. ).