Digital Certificates for Fabric IPsec Gateway

Table 1. Digital Certificates for IPsec Authentication product support

Feature

Product

Release introduced

Digital Certificates for IPsec Authentication

5320 Series

Not Supported

5420 Series

Not Supported

5520 Series

Not Supported

5720 Series

Fabric Engine 8.7

Supported on 5720-24MXW and 5720-48MXW

For Fabric Extend over IPsec

7520 Series

Fabric Engine 8.10

For Fabric Extend over IPsec

7720 Series

Fabric Engine 8.10

For Fabric Extend over IPsec

VSP 4900 Series

VOSS 8.3

Supported on VSP4900-12MXU-12XE and VSP4900-24XE

For Fabric Extend over IPsec

VSP 7400 Series

VOSS 8.3

For Fabric Extend over IPsec

Fabric IPsec Gateway supports digital certificates for IPsec authentication of Fabric Extend tunnels. To support different certificates for different IPsec tunnels, you can configure multiple certificate authority (CA) trustpoints and identity subject certificates.

If you are not familiar with digital certificates, see Digital Certificate/PKI for additional background information like digital certificate terminology.

Fabric IPsec Gateway supports multiple CA trustpoints and multiple identity subject certificates. You can use different certificates for different IPsec tunnels. Fabric IPsec Gateway acts like a hub to isolate IPsec domains. To use Public Key Infrastructure (PKI) with IPsec Fabric Extend technology, all devices must acquire the digital-signed certificates. The CA server can be accessed from the devices, a public network, or an internal network. Each device must configure a profile for the CA server. The switch uses Simple Certificate Enrollment Protocol (SCEP) to obtain the trusted, signed certificates.

To use IPsec with Digital Certificates:

Fabric IPsec Gateway supports both online and offline certificate management simultaneously.

Online Certificate Provisioning

The switch uses IPsec Simple Certificate Enrollment Protocol (SCEP) to obtain the CA certificate, and then validates the CA certificate against the certificate chain.

Note

Note

Extreme Networks validated the Fabric IPsec Gateway SCEP implementation with EJBCA CA Server only. Fabric IPsec Gateway SCEP cannot currently use Win CA like digital certificate support in VOSS.

Use trustpoints to manage and track CAs and certificates. The switch can enroll with a trustpoint to obtain an identity certificate. You must configure the CA URL, the CA common name, and select the HTTP request type to configure the CA server trustpoint.

Configure the certificate subject parameters to provide the device distinguished name (DN) and key name for the generated key pair (the private key). If you do not configure a private key, the switch generates one. The switch validates the returned certificate against the trustpoint's CA certificate.

You can remove subject certificates from the CA trustpoint or clean the CA trustpoint only if the subject-label is not configured on an IPsec tunnel.

Offline Certificate Provisioning

Offline certificate management supports switches that cannot communicate with the CA to obtain the identity certificate online by certificate enrollment operation.

The switch generates the certificate signing request (CSR) using the subject DN and the private key that you configure in the CLI. If you do not configure a private key, the switch generates one.

Transfer the CSR to the offline CA to be signed. Retrieve the signed certificate to validate against the original CSR. You must manually transfer all certificates in the certificate chain to the switch. The signed certificate must include the subject-label to map it to a locally-generated CSR for validation.

You must manually download Certificate Revocation List (CRL) files. You can remove offline subject certificates only if the subject-label is not configured on an IPsec tunnel.