Scaling Cisco VPNs with MCS

Scaling Cisco VPNs with MCS

Scaling Cisco VPNs with MCS
Tom Lancaster

One of the preferred ways to handle authentication of a large number of VPN tunnels is by using a Certificate Authority or CA. While some organizations prefer to use an external company like Entrust for CA services, others prefer to setup their own CA, which can be very cost effective. The trade-off of course, is that they have to maintain the server and software.

Naturally, Microsoft's Certificate Services is a popular choice for many companies, but it does have a quirk, I mean "feature", that can cause problems in Cisco routers that don't have a lot of memory. This feature revolves around Microsoft's use of Registration Authorities, which act much like a proxy server for the CA. They require both IPSec peers to have the CA and RA public keys. This in turn means that the Cisco router must store it's own certificate, the CA's certificate and two Registration Authority certificates, along with multiple Certificate Revocation Lists. Because these certificates, CRLs and other VPN related information are all stored in a router's NVRAM, which is typically quite small, they can become problematic if they grow too large.

One solution to this problem is to have the router request certificates and CRLs from an external device instead of storing them locally. While this allows you to scale and ensures you won't be constrained by an old router's memory, it also means you need to make sure your

    Requires Free Membership to View

    Login

    By submitting your registration information to SearchNetworking.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchNetworking.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

CA and RA are as available and reliable as your VPN.

To configure a Cisco router to request this information from a CA or RA, use the command

crypto ca certificate querry

If you want a really elegant solution, you can use an LDAP server (e.g. Active Directory) instead. To tell the Cisco router to request the information from an LDAP server, use the CA-config command

querry url <url>

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in May 2002

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top