Skip to main content

Cisco IPSEC Site-to-Site VPN Using CA (Certificate Authority)

IPSEC Site-to-Site VPN Using Certificate

Cisco IOS PKI – Public Key Infrastructure

Cisco IOS public key infrastructure (PKI) provides certificate management to support security protocols such as IP Security (IPSec), secure shell (SSH), and secure socket layer (SSL).

A PKI is composed of the following entities:
·       Peers communicating on a secure network.
·       At least one certification authority (CA) that grants and maintains certificates
·       Digital certificates, which contain information such as the certificate validity period, peer identity information, encryptions keys that are used for secure communications, and the signature of the issuing CA
·       An optional registration authority (RA) to offload the CA by processing enrollment requests
·       A distribution mechanism (such as Lightweight Directory Access Protocol [LDAP] or HTTP) for certificate revocation lists (CRLs)
PKI provides customers with a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network. Every entity (a person or a device) participating in the secured communicated is enrolled in the PKI in a process where the entity generates an Rivest, Shamir, and Adelman (RSA) key pair (one private key and one public key) and has their identity validated by a trusted entity (also known as a CA or trustpoint).
RSA Keys Overview
An RSA key pair consists of a public key and a private key. When setting up your PKI, you must include the public key in the certificate enrollment request. After the certificate has been granted, the public key will be included in the certificate so that peers can use it to encrypt data that is sent to the router. The private key is kept on the router and used both to decrypt the data sent by peers and to digitally sign transactions when negotiating with peers.

What Are CAs

A CA, also known as a trustpoint, manages certificate requests and issues certificates to participating network devices. These services (managing certificate requests and issuing certificates) provide centralized key management for the participating devices and are explicitly trusted by the receiver to validate identities and to create digital certificates. Before any PKI operations can begin, the CA generates its own public key pair and creates a self-signed CA certificate; thereafter, the CA can sign certificate requests and begin peer enrollment for the PKI.

Certificate Enrollment How It Works

Certificate enrollment is the process of obtaining a certificate from a CA. Each end host that wants to participate in the PKI must obtain a certificate. Certificate enrollment occurs between the end host requesting the certificate and the CA.

Glossary

CDP—certificate distribution point. Field within a digital certificate containing information that describes how to retrieve the CRL for the certificate. The most common CDPs are HTTP and LDAP URLs. A CDP may also contain other types of URLs or an LDAP directory specification. Each CDP contains one URL or directory specification.
certificates—Electronic documents that bind a user’s or device’s name to its public key. Certificates are commonly used to validate a digital signature.
CRL—certificate revocation list. Electronic document that contains a list of revoked certificates. The CRL is created and digitally signed by the CA that originally issued the certificates. The CRL contains dates for when the certificate was issued and when it expires. A new CRL is issued when the current CRL expires.
CA—certification authority. Service responsible for managing certificate requests and issuing certificates to participating IPSec network devices. This service provides centralized key management for the participating devices and is explicitly trusted by the receiver to validate identities and to create digital certificates.
peer certificate--Certificate presented by a peer, which contains the peer’s public key and is signed by the trustpoint CA.
PKI—public key infrastructure. System that manages encryption keys and identity information for components of a network that participate in secured communications.
RA—registration authority. Server that acts as a proxy for the CA so that CA functions can continue when the CA is offline. Although the RA is often part of the CA server, the RA could also be an additional application, requiring an additional device to run it.
RSA keys—Public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. An RSA key pair (a public and a private key) is required before you can obtain a certificate for your router.
Steps for PKI Setup:

1. Generate my public key and private key.
2. Download CA Root Certificate.
3. Send/Enroll your public key with CA.
4. Download the ID Cert from CA, which contains below:

Then Entity public key
Info about the entity
CA information
Digital signature of the CA Server.



 Configuration Example
Task-1: Configure R1 as CA Server and R2 & R3 as their clients to download the certificate from CA.

Task-2: Configure IPSEC Site-to-Site VPN Between R2 & R3 to encrypt traffic from 10.1.1.0/24 to 10.2.2.0/24 with RSA Sign using as authentication method and RSA Key pair to establish Phase I.

Initial Configuration:

R1 [CA-Server]:

interface FastEthernet0/0
 ip address 192.1.12.1 255.255.255.0
 duplex auto
 speed auto
end

interface FastEthernet0/1
 ip address 192.1.13.1 255.255.255.0
 duplex auto
 speed auto
end


R2:

interface FastEthernet0/0
 ip address 192.1.12.2 255.255.255.0
 duplex auto
 speed auto
end

ip route 0.0.0.0 0.0.0.0 192.1.12.1

R3:

interface FastEthernet0/0
 ip address 192.1.13.3 255.255.255.0
 duplex auto
 speed auto
end


ip route 0.0.0.0 0.0.0.0 192.1.13.1


Task-1: Configure R1 as CA Server and R2 & R3 as their clients to download the certificate from CA.

Solution:

R1 [CA-Server]:

Step-1: Sync Time Settings:

clock timezone IST 5 30
Clock Set 17:00:00 4 March 2018

Step-2: Generate a RSA Key Pair for the CA Server:

CA-SERVER(config)#crypto key generate rsa modulus 1025 label MYCA
The name for the keys will be: MYCA

% The key modulus size is 1025 bits
% Generating 1025 bit RSA keys, keys will be non-exportable...[OK]

CA-SERVER(config)#

Step-3: Configure Router as HTTP Server

ip http server

Step-4: Configure CA Server Parameters

CA-SERVER(config)#crypto pki server MYCA
CA-SERVER(cs-server)#database url flash:
% Server database url was changed. You need to move the
% existing database to the new location.
CA-SERVER(cs-server)#issuer-name CN=Cisco O=ABC OU=Training L=INDIA
CA-SERVER(cs-server)#grant auto
CA-SERVER(cs-server)#
Mar  4 11:33:47.751: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
CA-SERVER(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: 

Re-enter password: 

CA-SERVER(cs-server)#exit
Mar  4 11:35:01.259: %PKI-6-CS_ENABLED: Certificate server now enabled.
CA-SERVER(config)#


R2:

Step-1: Sync Time:

clock timezone IST 5 30
Clock Set 17:00:00 4 March 2018

Step-2: Generate a RSA Key Pair for the CA Server:

R2(config)#ip domain-name ABC.com
R2(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R2.ABC.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
Mar  4 17:08:00.675: %SYS-3-CPUHOG: Task is running for (2024)msecs, more than (2000)msecs (0/0),process = crypto sw pk proc.
-Traceback= 0x62B26498 0x62F8AAA4 0x62FB71A0 0x62FB7CBC 0x62FB548C 0x62FB686C 0x62B1E28C 0x62B1E270 [OK]

R2(config)#
Mar  4 17:08:03.315: %SSH-5-ENABLED: SSH 1.99 has been enabled
R2(config)#

Step-3: Create a Pointer towards CA Server:

crypto pki trustpoint CISCO
 enrollment url http://192.1.12.1:80
 serial-number
 revocation-check none

Step-4: Download the root Certificate from CA.

R2(config)#crypto ca authenticate CISCO
Certificate has the following attributes:
       Fingerprint MD5: 50FA82E1 07B21960 4ECC4CCF 1BE4F0F9 
      Fingerprint SHA1: 46B1D503 D18E230A D55A8923 478C60F9 F0449A36 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R2(config)#

 Step-5: Enroll Your Public Key with the CA Server and get a certificate issued 


R2(config)#crypto ca enroll CISCO
%
% Start certificate enrollment .. 
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password: 
Re-enter password: 

% The subject name in the certificate will include: R2.ABC.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX0945W0MY
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CISCO verbose' commandwill show the fingerprint.

R2(config)#
Mar  4 17:14:18.735: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 7CD183E7 A91D598D CCC2FFE1 BC7D98B5 
Mar  4 17:14:18.743: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 2F683DCC 11AF6AEF 09C0E27F D686E48F A22CD77C 
R2(config)#
Mar  4 17:14:21.183: %PKI-6-CERTRET: Certificate received from Certificate Authority
R2(config)#

R3:

Step-1: Sync Time:

clock timezone IST 5 30
Clock Set 17:00:00 4 March 2018

Step-2: Generate a RSA Key Pair for the CA Server:

R2(config)#ip domain-name ABC.com
R2(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R2.ABC.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
Mar  4 17:08:00.675: %SYS-3-CPUHOG: Task is running for (2024)msecs, more than (2000)msecs (0/0),process = crypto sw pk proc.
-Traceback= 0x62B26498 0x62F8AAA4 0x62FB71A0 0x62FB7CBC 0x62FB548C 0x62FB686C 0x62B1E28C 0x62B1E270 [OK]

R2(config)#
Mar  4 17:08:03.315: %SSH-5-ENABLED: SSH 1.99 has been enabled
R2(config)#

Step-3: Create a Pointer towards CA Server:

crypto pki trustpoint CISCO
 enrollment url http://192.1.13.1:80
 serial-number
 revocation-check none

Step-4: Download the root Certificate from CA.

R2(config)#crypto ca authenticate CISCO
Certificate has the following attributes:
       Fingerprint MD5: 50FA82E1 07B21960 4ECC4CCF 1BE4F0F9 
      Fingerprint SHA1: 46B1D503 D18E230A D55A8923 478C60F9 F0449A36 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R2(config)#

Step-5: Enroll Your Public Key with the CA Server and get a certificate issued 


R2(config)#crypto ca enroll CISCO
%
% Start certificate enrollment .. 
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password: 
Re-enter password: 

% The subject name in the certificate will include: R2.ABC.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX0945W0MY
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CISCO verbose' commandwill show the fingerprint.

R2(config)#
Mar  4 17:14:18.735: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 7CD183E7 A91D598D CCC2FFE1 BC7D98B5 
Mar  4 17:14:18.743: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 2F683DCC 11AF6AEF 09C0E27F D686E48F A22CD77C 
R2(config)#
Mar  4 17:14:21.183: %PKI-6-CERTRET: Certificate received from Certificate Authority
R2(config)#

Task-2: Configure IPSEC Site-to-Site VPN Between R2 & R3 to encrypt traffic from 10.1.1.0/24 to 10.2.2.0/24 with RSA Sign using as authentication method and RSA Key pair to establish Phase I.

Solution:

R2:

 Step-1: Configure Phase I

crypto isakmp policy 1
encryption 3des
authentication rsa-sig
hash md5
group 2

Step-2: Configure Phase II

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

.Step-3: Configure Interested Traffic:

Access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

Step-4: Configure Crypto map:

Crypto map CMAP 1 ipsec-isakmp
Set peer 192.1.13.3
Set transform-set TSET
Match address 101

Step-5: Apply Crypto Map to Interface:

Interface e0/0
Crypto map CMAP
End


R3:

Step-1: Configure Phase I

crypto isakmp policy 1
encryption 3des
authentication rsa-sig
hash md5
group 2

Step-2: Configure Phase II

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

Step-3: Configure Interested Traffic:

Access-list 101 permit ip  10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Step-4: Configure Crypto map:

Crypto map CMAP 1 ipsec-isakmp
Set peer 192.1.12.2
Set transform-set TSET
Match address 101

Step-5: Apply Crypto Map to Interface:

Interface e0/0
Crypto map CMAP
End


Verification:

R2#ping 10.2.2.2 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/64/88 ms
R2#

R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.1.13.3      192.1.12.2      QM_IDLE           1001    0 ACTIVE
R2#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: CMAP, local addr 192.1.12.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer 192.1.13.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 8, #recv errors 0

     local crypto endpt.: 192.1.12.2, remote crypto endpt.: 192.1.13.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x6B02CDA0(1795345824)

     inbound esp sas:
      spi: 0x888055FA(2290111994)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4478705/3545)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6B02CDA0(1795345824)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4478705/3545)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE



Thank You !!!

Comments

Post a Comment

Popular posts from this blog

VRF Aware IPSEC Site-to-Site VPN

VRF [Virtual Routing & Forwarding] Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table. A VPN routing table is called a  VPN routing/forwarding (VRF) table. About VRF-lite VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time. Terminology ·  ...
1 comment
Read more

Flex VPN

Cisco FLEX VPN with IKEv2 Large customers deploying IPSec VPN over IP networks are faced with high complexity and high cost of deploying multiple types of VPN to meet different types of connectivity requirements. Customers often have to learn different types of VPNs to manage and operate different types of network. And once a technology is selected for a deployment, migrating or adding functionality to enhance the VPN is often avoided. FlexVPN was created to simplify the deployment of VPNs, to address the complexity of multiple solutions, and as a unified ecosystem to cover all types of VPN: remote access, teleworker, site to site, mobility, managed security services, and others. Cisco IOS FlexVPN Features and Benefits: Cisco IOS FlexVPN is a unified VPN solution and provides the following benefits: ●     Scalability:  IKEv2 provides scalability feature with the help of IKEv2 Proposal, in which we can use multiple integrity, encryption & DH...
Post a Comment
Read more

Introduction to Segment Routing

Segment Routing Introduction Before we proceed to understand the segment routing technology, we must understand that SR is a technology and every technology has made for a solution. So, first, we need to understand the solution and its need. All the Service providers are facing following issues with current infrastructure: 1.     A lot of manual configuration for reserving the path in the SP Core network for a different type of traffics. 2.     Lack of application-level visibility which leads to classifying network based on only IP, Port and QoS classification. 3.     Lack of application integration with the network. 4.     No centralized control over the path based on different type of services. 5.     No end-to-end visibility from Data Center to an End user, which leads to sub-optimal paths for application in different domains. 6.     The separate signaling protocol is r...
2 comments
Read more