Q: How to use custom certificate on RAP ?
A: From 6.3 RAP supports custom certificate both RSA and ECDSA for forming IPSEC tunnel with controller.
We can use the RAP console page to generate the CSR and upload the Certificate / Root CA . If you have intermediate CA bundle them in PEM format and upload it
Similarly on controller side we need to generate the CSR and upload the certificates .Then map the server and CA certificate uploaded to the VPN service
(Host) (config) #crypto-local isakmp server-certificate
<server_certificate_name>
To add the CA certificate to verify the RAP certificate:
(Host) (config) #crypto-local isakmp ca-certificate <trusted CA>
We can use the following command verify if RAP is using the custom certificate
(Host) #show crypto ipsec sa
IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
------------ ------------ ---------------- ----- --------------- --------
10.1.1.250 10.1.1.2 b9dd7900/79f0dc00 UT2 Jul 27 10:15:48 8.1.1.6
Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
Total IPSEC SAs: 1
(Host) #show crypto isakmp sa
ISAKMP SA Active Session Information
------------------------------------
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ----------
10.1.1.250 10.1.1.2 r-v2-e-Ru Jul 27 10:15:48 8.1.1.6
Flags: i = Initiator; r = Responder
m = Main Mode; a = Agressive Mode v2 = IKEv2
p = Pre-shared key; c = Certificate/RSA Signature; e = ECDSA Signature
x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
3 = 3rd party AP; C = Campus AP; R = RAP; Ru = Custom Certificate RAP; I = IAP
V = VIA; S = VIA over TCP
Total ISAKMP SAs: 1
(Host) #show crypto isakmp sa peer 10.1.1.250
Initiator IP: 10.1.1.250
Responder IP: 10.1.1.2
Initiator: No
Initiator cookie:b062da0c64289dda Responder cookie:c651d1e3dd23c0ab
SA Creation Date: Mon Jul 27 10:15:48 2015
Life secs: 28800
Initiator Phase1 ID: C=US S=CA L=sunneyvale O=Aruba OU=IT CN=00:0b:86:9e:08:45 E=test5@arubanetworks.com
Responder Phase1 ID: C=US S=CA L=Sunneyvale O=Aruba OU=IT CN=Controller E=test2@arubanetworks.com
Exchange Type: IKE_SA (IKEV2)
Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA2_384_192 DHGroup:20
Authentication Method: ECDSA with SHA-384 on the P-384 curve
CFG Inner-IP 8.1.1.6
IPSEC SA Rekey Number: 0
Aruba AP
(Host) #show crypto ipsec sa peer 10.1.1.250
Initiator IP: 10.1.1.250
Responder IP: 10.1.1.2
Initiator: No
SA Creation Date: Mon Jul 27 10:15:48 2015
Life secs: 7200
Exchange Type: IKE_SA (IKEV2)
Phase2 Transform:Encryption Alg: AES-GCM 256 Authentication Alg:
Encapsulation Mode Tunnel
IP Compression Disabled
PFS: no
IN SPI: B9DD7900, OUT SPI: 79F0DC00
CFG Inner-IP 8.1.1.6
Responder IP: 10.1.1.2
Please note the certificate uploaded on RAP will be stored in flash memory and once we reset the RAP it will be removed and it will start using the default certificate
Attachments:screenshot1.JPG