© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Implementing IPSec VPNs Using PKI

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Implementing PKI CA To add a new IPsec router to the network, you need only configure that new router to request a certificate from the CA, instead of making multiple key configurations with all the other existing IPsec routers. Certificate

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Hash Function Hash Private Key belonging to Alice Recipient Digital Signatures Hash Message

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Message with Appended Signature Decrypt the Received Signature Public Key Alice Hash the Received Message Hash Function ? Digital Signatures (Cont.) Hash

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v V3 Serial Number5B74 F440 66CC 70CD B972 4C5B 7E20 68D1 Signature Algorithmmd5RSA IssuerCN = VeriSign Class 1 CA Individual Subscriber-Persona Not Validated OU = Incorp. By Ref.,LIAB.LTD(c)98 OU = VeriSign Trust Network O = VeriSign, Inc. Valid FromThursday, June 22, :00:00 PM Valid ToSaturday, June 23, :59:59 PM SubjectE = CN = David Lazarte OU = Digital ID Class 1 - Microsoft Full Service OU = Persona Not Validated OU = Incorp. by Ref.,LIAB.LTD(c)98 OU = VeriSign Trust Network O = VeriSign, Inc. Public Key3481 8B AC AF8B… Thumbprint7A52 28D0 1A0C FFD6 859A… Version Digital ID Certificate Version Certificate ID Encryption Algorithm Certificate Authority Certificate Lifetime Certificate User ID RSA 1024-bit Public Key Digital Signature X.509v3 Digital Certificate

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Internet RA Alice gets signed public key for Bob from RA. Bob gets signed public key for Alice from RA. AliceBob RA Root CA CA vs. RA

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Certificate Enrollment Certificate End Host Certificate Request Step 1 Step 2 Step 3 Step 4Step 5 CA receives request CA signs certificate with private key End host writes to storage RSA Key Pair

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Simple Certificate Enrollment Protocol Get CA Certificate: HTTP Get Message CA Certificate Download: HTTP Response Message Compute fingerprint and call CA operator Receive call and verify fingerprint CA ServerEnd Host Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v SCEP Enrollment Certificate request End hosts certificate CA ServerEnd Host Receive the issued certificate Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v SCEP Cert Query Request stored certificate Certificate sent back CA ServerEnd Host Receive the stored certificate Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring a Site-to-Site VPN Using PKI Tasks Prepare for ISAKMP and IPsec Configure CA support Configure ISAKMP for IPsec –rsa-sig authentication Configure IPsec transforms Create ACLs for encryption traffic (crypto ACLs) Configure crypto map Apply crypto map to an interface Test and verify IPsec

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Preparing for IPsec R1# ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R1# show crypto ipsec policy R1# show crypto isakmp policy Global IKE policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit R1# show crypto map No crypto maps found. R1# show crypto ipsec transform-set R1# Site 1Site A B R1R6 Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1# show ip access-lists Extended IP access list permit ahp host host permit esp host host permit udp host host eq isakmp 40 permit udp host host eq non500-isakmp Ensure ACLs Are Compatible with IPsec IKE AH ESP NAT-T IP 51 IP 50 UDP 500 UDP Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS CA Configuration Procedure Prepare for CA support –Set the router time and date –Configure DNS parameters Hostname Domain name –Add CA server to router host table –Generate an RSA key pair or use a self-signed certificate Declare a CA

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS CA Configuration Procedure (Cont.) Authenticate the CA Request your own certificate Verify the CA support configuration Save the configuration (Optional) Monitor and maintain CA interoperability

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Prepare for CA Support Planning includes the following steps: Determine the type of CA server used and the requirements of the CA server Identify the CA server IP address, hostname, and URL Identify the CA server administrator contact information

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Plan for CA Support (Determine CA Server Details) CA VPNCA Site 1Site R1R6 Internet ParameterCA Server Type of CA serverCisco router Hostnamevpnca IP address URLvpnca.cisco.com Administrator contact B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Set the Router Time and Date R1(config)# clock timezone cst -6 R1# clock set 23:21:00 08 September 2006 R1# show clock *23:21: CST Fri Sept CA VPNCA Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring a Hostname and Domain Name router(config)# hostname R1 R1(config)# ip domain-name cisco.com CA VPNCA Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Add a CA Server Entry to the Router Host Table R1(config)# ip host vpnca CA VPNCA Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# crypto key generate rsa Generate an RSA Key Pair CA VPNCA Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Generating RSA Keys R1(config)# crypto key generate rsa The name for the keys will be: R1.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] *Jul 24 16:46:09.839: %SSH-5-ENABLED: SSH 1.99 has been enabled

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# crypto pki trustpoint vpnca R1(ca-trustpoint)# enrollment url Declaring a CA CA VPNCA Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Commands Used to Declare a CA R1(config)# crypto pki trustpoint vpnca R1(ca-trustpoint)# ? ca trustpoint configuration commands: crl CRL option default Set a command to its defaults enrollment Enrollment parameters exit Exit from certificate authority identity entry mode no Negate a command or set its defaults query Query parameters R1(ca-trustpoint)# enrollment ? http-proxy HTTP proxy server for enrollment mode Mode supported by the Certicicate Authority retry Polling parameters url CA server enrollment URL

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Authenticate the CA R1(config)# crypto pki authenticate VPNCA Certificate has the following attributes: Fingerprint MD5: 02DA1AB0 4FC8EFDE 3FB2ED92 5C96B72E Fingerprint SHA1: FFDE44F8 FA712C7B FA66F08C 08D548B7 5F05933D % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Get CA Certificate Compare CA VPNCA Site 1Site R1 R6 Internet CA Download CA Fingerprint xxxx aaaa zzzz bbbb CA Fingerprint xxxx aaaa zzzz bbbb B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# crypto pki enroll VPNCA % % Start certificate enrollment.. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: cisco123 Re-enter password: cisco123 % The subject name in the certificate will include: router1.cisco.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate vpnca verbose' command will show the fingerprint. *Jul 24 17:07:15.403: CRYPTO_PKI: Certificate Request Fingerprint MD5: D35C6688 E6EBADEF 504EE6F2 BEC8FA13 *Jul 24 17:07:15.407: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 1A45EA0 A 6725B055 E84018FB 9DE5DD88 4E1C2CF5 *Jul 24 17:07:19.915: %PKI-6-CERTRET: Certificate received from Certificate Authority Request Your Own Certificate

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Save the Configuration R1# copy system:running-config nvram:startup-config CA VPNCA Site 1Site R1R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verify the CA Support Configuration R1# show crypto pki certificates R1# show crypto pki trustpoints R1# show crypto key mypubkey rsa CA VPNCA Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Displaying Your Certificates Certificate Status: Available Certificate Serial Number: 02 Certificate Usage: General Purpose Issuer: cn=vpnca Subject: Name: router1.cisco.com hostname=router1.cisco.com Validity Date: start date: 10:06:21 CST Jul end date: 10:06:21 CST Jul Associated Trustpoints: vpnca Storage: nvram:vpnca#6102.cer

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Displaying Your Certificates (Cont.) A Certificate Status: Available Certificate Serial Number: 01 Certificate Usage: Signature Issuer: cn=vpnca Subject: cn=vpnca Validity Date: start date: 09:33:21 CST Jul end date: 09:33:21 CST Jul Associated Trustpoints: vpnca Storage: nvram:vpnca#6101CA.cer

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Displaying Trustpoints R1# show crypto pki trustpoints Trustpoint vpnca: Subject Name: cn=vpnca Serial Number: 01 Certificate configured. SCEP URL:

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Viewing RSA Keys R1# show crypto key mypubkey rsa % Key pair was generated at: 10:46:09 CST Jul Key name: R1.cisco.com Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 305C300D 06092A F70D B D2C93F 02B5AB67 731B1B22 B41AE80D 1CE799C F20 C06D82FC 1D695DEB 4C00C606 E E55DB 0454D045 5DF6D8B1 D92A5D51 D7375C88 DAB2EC % Key pair was generated at: 10:46:10 CST Jul Key name: R1.cisco.com.server Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A F70D B C5A97B 6D7BABE0 6CD2A B0CBC 27E7C54C 6BFDB A0 1A0C34C1 CB D8F888 79A236B6 BF327F69 F0E81837 FDA009F7 6AF5C3DE 022FF18B 253B A A777 29D99643 D36EEDE7 6E DA821A 3F B

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v debug CA Commands R1# debug crypto pki messages R1# debug crypto pki transactions CA VPNCA Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring ISAKMP R1(config)# crypto isakmp policy 110 R1(config-isakmp)# authentication rsa-sig CA VPNCA Site 1Site R1R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring IPsec Configure transform sets Configure global IPsec SA lifetimes

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Creating Crypto ACLs Create an extended ACL to define what traffic will be protected. Must be a mirror image of peers crypto ACL.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring Crypto Maps R1(config)# crypto map MYMAP 110 ipsec-isakmp R1(config-crypto-map)# match address 110 R1(config-crypto-map)# set peer R1(config-crypto-map)# set transform-set SNRS R1(config-crypto-map)# set security-association lifetime seconds CA VPNCA Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# interface fastEthernet 0/1 R1(config-if)# crypto map SNRS-MAP Applying Crypto Maps to Interfaces SNRS-MAP applied to outside interface CA VPNCA Site 1Site R1 R6 Internet B A

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Test and Verify IPsec Display your configured ISAKMP policies: show crypto isakmp policy Display your configured transform sets: show crypto ipsec transform-set Display the current state of your IPsec SAs: show crypto ipsec sa

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Test and Verify IPsec (Cont.) Display your configured crypto maps: show crypto map Enable debug output for IPsec events: debug crypto ipsec Enable debug output for ISAKMP events: debug crypto isakmp

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary Cisco IOS PKI provides certificate management. Digital signatures provide a means of digitally authenticating devices and individual users. Cisco IOS Software uses SCEP to communicate with a PKI. The configuration process for a site-to-site VPN using digital signatures is exactly the same as with pre-shared keys, except that the ISAKMP authentication configuration is changed to RSA signatures. There are several commands available to test and verify IPsec site-to-site configurations.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v