Cisco OL-24124-01 User Manual

Page 4

Advertising
background image

17-4

Cisco Unified Communications Manager Security Guide

OL-24124-01

Chapter 17 Configuring Virtual Private Networks

Configuring IOS for VPN client on IP phone

router(config-if)# duplex auto

router(config-if)# speed auto

router(config-if)# no shutdown

router#show ip interface brief (shows interfaces summary)

b.

Configure static and default routes.

router(config)# ip route <dest_ip> < mask> < gateway_ip>

Example:

router(config)# ip route 10.10.10.0 255.255.255.0 192.168.1.1

Step 2

Generate and register the necessary certificates for Cisco Unified Communications Manager and IOS.

The following certificates need to be imported from the Cisco Unified Communications Manager.

CallManager - Authenticating the Cisco UCM during TLS handshake (Only required for
mixed-mode clusters)

Cisco_Manufacturing_CA - Authenticating IP phones with a Manufacturer Installed Certificate
(MIC).

CAPF - Authenticating IP phones with an LSC.

To import these Cisco Unified Communications Manager certificates

a.

From the Cisco Unified Communications Manager OS Administration web page.

b.

Choose Security > Certificate Management. (Note: This location may change based on the UCM
version)

c.

Find the certificates Cisco_Manufacturing_CA and CAPF. Download the .pem file and save as .txt
file

d.

Create trustpoint on the IOS

Example:

hostname(config)# crypto pki trustpoint trustpoint_name

hostname(config-ca-trustpoint)# enrollment terminal

hostname(config)# crypto pki authenticate trustpoint

When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded

.pem file along with the BEGIN and END lines. Repeat the procedure for the other certificates

e.

You should generate the following IOS self-signed certificates and register them with Cisco Unified
Communications Manager, or replace with a certificate that you import from a CA.

Generate a self-signed certificate.

Example:

Router> enable

Router# configure terminal

Router(config)# crypto key generate rsa general-keys label <name> <exportable

-optional>

Router(config)# crypto pki trustpoint <name>

Router(ca-trustpoint)# enrollment selfsigned

Router(ca-trustpoint)# rsakeypair <name> 1024 1024

Router(ca-trustpoint)#authorization username subjectname commonname

Router(ca-trustpoint)# crypto pki enroll <name>

Router(ca-trustpoint)# end

Generate a self-signed certificate with Host-id check enabled on the VPN profile in Cisco Unified
Communications Manager.

Example:

Router> enable

Router# configure terminal

Advertising
Popular Brands
Popular manuals