Cisco Cisco Packet Data Gateway (PDG)
IPSec Certificates
▀ CA Certificate Chaining
▄ IPSec Reference, StarOS Release 16
112
Deployment Scenarios
StarOS as Responder
Cert. Data in the Payload – Peer Cert. root CA1, StarOS Cert. Intm. CA1_1
1. StarOS sends IKE_SA_INIT to the peer.
2. StarOS sends IKE_SA_INIT to Peer. StarOS includes CERTREQ with Encoding = “X.509 Certificate -
Signature” and Certification Authority = “Concatenated hashes of public key info of CA 1_1 and CA1 in any
order”.
order”.
3. Peer sends IKE_AUTH to StarOS. Peer includes CERT with requested encoding type, and an entity certificate
issued by CA1. Peer includes CERTREQ with Encoding = “X.509 Certificate - Signature” and Certification
Authority = “Hash of public key info of CA1”. StarOS authenticates the peer certificate against CA1.
Authority = “Hash of public key info of CA1”. StarOS authenticates the peer certificate against CA1.
4. StarOS sends IKE_AUTH to Peer. StarOS includes two CERT payloads, with Encoding = “X.509 Certificate -
Signature”, and certificate data of (1) StarOS and (2) CA1_1.
Cert. Data in the Payload – Peer Cert. Intm. CA1_1, StarOS Certificate root CA1
1. StarOS sends IKE_SA_INIT to the peer.
2. StarOS sends IKE_SA_INIT to Peer. StarOS includes CERTREQ with Encoding = “X.509 Certificate -
Signature” and Certification Authority = “Hash of public key info of CA1”.
3. Peer sends IKE_AUTH to StarOS. Peer includes two CERT payloads with requested encoding type, and (1) an
entity certificate issued by CA1_1, and (2) a certificate of CA1_1. Peer includes CERTREQ with Encoding =
“X.509 Certificate - Signature” and Certification Authority = “Hash of public key info of CA1”. StarOS
authenticates CA1_1 certificate against CA1, and peer certificate against CA1_1.
“X.509 Certificate - Signature” and Certification Authority = “Hash of public key info of CA1”. StarOS
authenticates CA1_1 certificate against CA1, and peer certificate against CA1_1.
4. StarOS sends IKE_AUTH to Peer. StarOS includes one CERT payload, all with Encoding = “X.509 Certificate -
Signature”, and certificate data of StarOS.
StarOS as Initiator
Cert. Data in the Payload – Peer Cert. root CA1, StarOS Cert. Intm. CA1_1
1. StarOS sends IKE_SA_INIT to the peer.
2. Peer sends IKE_SA_INIT to StarOS. This message includes CERTREQ with Encoding = “X.509 Certificate -
Signature” and Certification Authority = “Hash of public key info of CA1”.
3. StarOS sends IKE_AUTH to peer. StarOS includes two CERT payloads with requested encoding type, and (1)
an entity certificate issued by CA1_1, and (2) a certificate of CA1_1. StarOS includes CERTREQ with
Encoding = “X.509 Certificate - Signature” and Certification Authority = “Hash of public key info of CA1 and
CA1_1 in any order”.
Encoding = “X.509 Certificate - Signature” and Certification Authority = “Hash of public key info of CA1 and
CA1_1 in any order”.
4. Peer sends IKE_AUTH to StarOS. Peer includes one CERT payload, with Encoding = “X.509 Certificate -
Signature”, and the entity certificate data.