Feature |
Product |
Release introduced |
---|---|---|
Digital Certificates for IPsec Authentication |
5320 Series |
Not Supported |
5420 Series |
Not Supported |
|
5520 Series |
Not Supported |
|
5720 Series |
Fabric Engine 8.7 Supported on 5720-24MXW and 5720-48MXW For Fabric Extend over IPsec |
|
7520 Series |
Fabric Engine 8.10 For Fabric Extend over IPsec |
|
7720 Series |
Fabric Engine 8.10 For Fabric Extend over IPsec |
|
VSP 4900 Series |
VOSS 8.3 Supported on VSP4900-12MXU-12XE and VSP4900-24XE For Fabric Extend over IPsec |
|
VSP 7400 Series |
VOSS 8.3 For Fabric Extend over IPsec |
Fabric IPsec Gateway supports digital certificates for IPsec authentication of Fabric Extend tunnels. To support different certificates for different IPsec tunnels, you can configure multiple certificate authority (CA) trustpoints and identity subject certificates.
If you are not familiar with digital certificates, see Digital Certificate/PKI for additional background information like digital certificate terminology.
Fabric IPsec Gateway supports multiple CA trustpoints and multiple identity subject certificates. You can use different certificates for different IPsec tunnels. Fabric IPsec Gateway acts like a hub to isolate IPsec domains. To use Public Key Infrastructure (PKI) with IPsec Fabric Extend technology, all devices must acquire the digital-signed certificates. The CA server can be accessed from the devices, a public network, or an internal network. Each device must configure a profile for the CA server. The switch uses Simple Certificate Enrollment Protocol (SCEP) to obtain the trusted, signed certificates.
To use IPsec with Digital Certificates:
Configure the Fabric Extend tunnels.
Configure the authentication method as RSA-signature. For more information, see Configure Public Key Infrastructure for IPsec Tunnels.
Configure certificate information in Fabric IPsec Gateway.
Fabric IPsec Gateway supports both online and offline certificate management simultaneously.
The switch uses IPsec Simple Certificate Enrollment Protocol (SCEP) to obtain the CA certificate, and then validates the CA certificate against the certificate chain.
Note
Extreme validated the Fabric IPsec Gateway SCEP implementation with EJBCA CA Server only. Fabric IPsec Gateway SCEP cannot currently use Win CA like digital certificate support in VOSS.
Use trustpoints to manage and track CAs and certificates. The switch can enroll with a trustpoint to obtain an identity certificate. You must configure the CA URL, the CA common name, and select the HTTP request type to configure the CA server trustpoint.
Configure the certificate subject parameters to provide the device distinguished name (DN) and key name for the generated key pair (the private key). If you do not configure a private key, the switch generates one. The switch validates the returned certificate against the trustpoint's CA certificate.
You can remove subject certificates from the CA trustpoint or clean the CA trustpoint only if the subject-label is not configured on an IPsec tunnel.
Offline certificate management supports switches that cannot communicate with the CA to obtain the identity certificate online by certificate enrollment operation.
The switch generates the certificate signing request (CSR) using the subject DN and the private key that you configure in the CLI. If you do not configure a private key, the switch generates one.
Transfer the CSR to the offline CA to be signed. Retrieve the signed certificate to validate against the original CSR. You must manually transfer all certificates in the certificate chain to the switch. The signed certificate must include the subject-label to map it to a locally-generated CSR for validation.
You must manually download Certificate Revocation List (CRL) files. You can remove offline subject certificates only if the subject-label is not configured on an IPsec tunnel.