Scaling Cisco VPNs with MCS
One of the preferred ways to handle authentication of a large number of VPN tunnels is by using a Certificate Authority or CA. While some organizations prefer to use an external company like Entrust for CA services, others prefer to setup their own CA, which can be very cost effective. The trade-off of course, is that they have to maintain the server and software.
Naturally, Microsoft's Certificate Services is a popular choice for many companies, but it does have a quirk, I mean "feature", that can cause problems in Cisco routers that don't have a lot of memory. This feature revolves around Microsoft's use of Registration Authorities, which act much like a proxy server for the CA. They require both IPSec peers to have the CA and RA public keys. This in turn means that the Cisco router must store it's own certificate, the CA's certificate and two Registration Authority certificates, along with multiple Certificate Revocation Lists. Because these certificates, CRLs and other VPN related information are all stored in a router's NVRAM, which is typically quite small, they can become problematic if they grow too large.
One solution to this problem is to have the router request certificates and CRLs from an external device instead of storing them locally. While this allows you to scale and ensures you won't be constrained by an old router's memory, it also means you need to make sure your CA and RA are as available and reliable as your VPN.
To configure a Cisco router to request this information from a CA or RA, use the command
crypto ca certificate querry
If you want a really elegant solution, you can use an LDAP server (e.g. Active Directory) instead. To tell the Cisco router to request the information from an LDAP server, use the CA-config command
querry url <url>
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.