Cisco Systems OL-24124-01 manual 17-10

Page 10

Chapter 17 Configuring Virtual Private Networks

Configuring ASA for VPN client on IP phone

CallManager - Authenticating the Cisco UCM during TLS handshake (Only required for mixed-mode clusters)

Cisco_Manufacturing_CA - Authenticating IP phones with a Manufacturer Installed Certificate (MIC).

CAPF - Authenticating IP phones with an LSC.

To import these Cisco Unified Communications Manager certificates

a.From the Cisco Unified Communications Manager OS Administration web page.

b.Choose Security > Certificate Management. (Note: This location may change based on the UCM version)

c.Find the certificates Cisco_Manufacturing_CA and CAPF. Download the .pem file and save as .txt file

d.Create trustpoint on the IOS

Example:

hostname(config)# crypto pki trustpoint trustpoint_name

hostname(config-ca-trustpoint)# enrollment terminal

hostname(config)# crypto pki authenticate trustpoint

When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded

.pem file along with the BEGIN and END lines. Repeat the procedure for the other certificates

e.You should generate the following IOS self-signed certificates and register them with Cisco Unified Communications Manager, or replace with a certificate that you import from a CA.

Generate a self-signed certificate.

Example:

Router> enable

Router# configure terminal

Router(config)# crypto key generate rsa general-keys label <name> <exportable

-optional>

Router(config)# crypto pki trustpoint <name>

Router(ca-trustpoint)# enrollment selfsigned

Router(ca-trustpoint)#rsakeypair <name> 1024 1024

Router(ca-trustpoint)#authorization username subjectname commonname

Router(ca-trustpoint)#crypto pki enroll <name>

Router(ca-trustpoint)# end

Generate a self-signed certificate with Host-id check enabled on the VPN profile in Cisco Unified Communications Manager.

Example:

Router> enable

Router# configure terminal

Router(config)# crypto key generate rsa general-keys label <name> <exportable -optional>

Router(config)# crypto pki trustpoint <name>

Router(ca-trustpoint)# enrollment selfsigned

Router(config-ca-trustpoint)# fqdn <full domain name>

Router(config-ca-trustpoint)# subject-nameCN=<full domain name>, CN=<IP>

Router(ca-trustpoint)#authorization username subjectname commonname

Router(ca-trustpoint)#crypto pki enroll <name>

Router(ca-trustpoint)# end

Register the generated certificate with Cisco Unified Communications Manager.

Example:

Router(config)# crypto pki export <name> pem terminal

 

Cisco Unified Communications Manager Security Guide

17-10

OL-24124-01

Page 9 Page 11
Image 10
Page 9 Page 11
Contents Supported Devices Configuring the VPN Feature17-1 Configuration Steps 17-2Configuring IOS for VPN client on IP phone IOS configuration requirements17-3 Routerconfig# ip route destip mask gatewayip 17-4Sample IOS configuration summary 17-517-6 Aaa new-model17-7 Hidekeys17-8 Configuring ASA for VPN client on IP phone ASA configuration requirements17-9 17-10 Sample ASA configuration summary 17-1117-12 Same-security-traffic permit inter-interface17-13 17-14 Svc rekey time17-15 17-16
Top Page Image Contents