User`s guide
238 XSR User’s Guide
Describing Public-Key Infrastructure (PKI) Chapter 11
Configuring the Virtual Private Network
The XSR will automatically verify the certificate chain structure associated
with any IPSec client certificate once it manually collects certificates for all
CAs in the chain. This includes the chain that exists for the certificate enrolled
by the XSR and chains for any IPSec peer who will establish tunnels with the
router. They must be collected manually but they are automatically chained
together using information in the CA Client certificates. You do not have to
manually create these chains.
CA certificates are collected using the SCEP authentication mechanism and
stored in a local certificate database. The XSR's IPSec client certificate is
enrolled in a CA using the SCEP enroll command, and is stored in the local
certificate database. Certificates for peer IPSec clients are passed to the XSR
by IKE and are used to authenticate the peer then discarded.
RA Mode
Some CA implementations distribute the CA's operation/authentication of
clients to RA agents. The Microsoft CA implements its CA in such a fashion.
The XSR will automatically adjust to the CA's mode of operation: you need
not specify whether your CA uses RA mode or not. If your CA uses RA mode
you will notice more then one certificate for the CA after you authenticate
against the CA.
Pending Mode
Once you've authenticated against a CA that will be the parent CA in your
XSR certificate chain, you then enroll the XSR's IPSec client certificate against
the CA using the SCEP enroll command. Depending on how your CA
administrator has configured the CA, you may or may not immediately
receive your IPSec client certificate when you first enroll. If the CA has been
configured to use pending mode, the CA administrator must manually issue
or deny your request. The CA administrator may take certain steps to verify
that the enrollment request is valid such as calling the system administrator. If
so, this process may take a number of hours or days.
When pending mode is configured, the XSR will log that the operation in
pending, and will automatically poll for the certificate three times over five-
minute intervals. The number of polls and interval between polls is adjustable
using CLI commands under Crypto Identity Configuration mode. This
assumes that the CA administrator will issue or deny the XSR enrollment
request in a 15-minute window.