© 1999, Cisco Systems, Inc Scaling Cisco IOS IPSec Networks Chapter 13

© 1999, Cisco Systems, Inc. MCNS Objectives Upon completion of this chapter, you will be able to perform the following tasks: Configure IPSec between Cisco routers for Certificate Authority support to create a secure communication environment based on a case study network design Manage multiple IKE/IPSec peers with crypto map sets Create Dynamic crypto maps

© 1999, Cisco Systems, Inc. MCNS CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup R2 NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Dialup Client Sales XYZ Companys CA IPSec Plan Bastion Host R1 Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Configuring CA Support in Cisco IOS IPSec

© 1999, Cisco Systems, Inc. MCNS CA Server Fulfilling Requests from Routers Each router individually makes requests of the CA server Server

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Overview of Cisco IOS Certificate Authority Support

© 1999, Cisco Systems, Inc. MCNS Cisco IOS Certificate Authority Support Cisco IOS supports the following CA components: Internet Key Exchange Public-Key Cryptography Standard #7 (PKCS #7) Public-Key Cryptography Standard #10 (PKCS #10) RSA Keys X.509v3 certificates CA Interoperability

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Overview of CA Support Configuration Procedure

© 1999, Cisco Systems, Inc. MCNS Cisco IOS CA Configuration Procedure Use the following procedure to configure a CA for Cisco IOS: Manage NVRAM Memory Usage Configure the Routers Host Name and Domain Name Generate an RSA Key Pair Declare a CA Authenticate the CA Request Your Own Certificate(s) Save Your Configuration Monitor and Maintain CA Interoperability

© 1999, Cisco Systems, Inc. MCNS Certificate Storage on a Router What type of certificates are stored on a router? –Its own certificate –The CAs certificate –Two Registration Authority (RA) certificates (only if the CA supports RA) The number of CRL stored on a router: –One if the CA does not support a RA –Multiple CRL if the CA supports a RA

© 1999, Cisco Systems, Inc. MCNS Configure the Routers Hostname and Domain Name routerA config# ip domain-name name Specifies a unique Domain Name for the router hostname name Specifies a unique name for the router hostname routerA ip domain-name Engineering

© 1999, Cisco Systems, Inc. MCNS Generate a RSA Key Pair routerA config# crypto key generate rsa [usage-keys] Using the keyword usage keys generates 2 sets of RSA keys: –Use one key set with any IKE policy that uses RSA signatures –Use one key set with any IKE policy that uses RSA encrypted nonces Using the command without the keyword generates a general purpose key set that can be used with either RSA key type

© 1999, Cisco Systems, Inc. MCNS Declare a Certification Authority routerA config# enrollment url url Specifies the URL for the CA server This is the minimum configuration to declare a CA routerA config# crypto ca identity name Specifies the desired CA server name routerA config# crypto ca identity ca_server routerA config# enrollment url

© 1999, Cisco Systems, Inc. MCNS Authenticate the CA routerA config# crypto ca authenticate name Use the same name as specified in the crypto ca identity command If you are using Registration Authority (RA) mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then RA signing and encryption certificates will be returned from the CA as well as the CA certificate An RA acts as a proxy for a CA crypto ca authenticate ca_server

© 1999, Cisco Systems, Inc. MCNS Request Your Own Certificates routerA config# crypto ca enroll name Use the same name as specified in the crypto ca identity command This command is not saved in the router configuration crypto ca enroll ca_server

© 1999, Cisco Systems, Inc. MCNS Monitor and Maintain CA Interoperability The following tasks are optional, depending on your particular requirements: Request a Certificate Revocation List Delete Your Router's RSA Keys Delete Peer's Public Keys Delete Certificates from the Configuration View Keys and Certificates

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Lab Exercise Scaling Cisco IOS IPSec Networks

© 1999, Cisco Systems, Inc. MCNS Lab Exercise Objectives Upon completion of this lab you will be able to perform the following tasks: Create crypto map entries Create crypto map sets Create dynamic crypto maps Apply crypto maps (dynamic and static) to interfaces

© 1999, Cisco Systems, Inc. MCNS CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup R2 NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Dialup Client Sales XYZ Companys CA IPSec Plan Bastion Host R1 Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Lesson Summary and Review Questions

© 1999, Cisco Systems, Inc. MCNS Summary Cisco IOS IPSec allows the user to: –Configure CA support –Manage multiple IKE/IPSec peers with crypto map sets –Configure dynamic crypto maps –Apply crypto maps to interfaces

© 1999, Cisco Systems, Inc. MCNS Review Questions 1. What is the purpose of a CA server? To certify the correctness and ownership of the public IPSec encryption keys of a remote peer Maintain and distribute accurate CRL in a timely manner Provide non-repudiation services to prove that a transaction actually occurred 2. Which CA components does IOS support? IKE PKCS #7 PKCS #10 RSA keys X.509v3 certificates

© 1999, Cisco Systems, Inc. MCNS Review Questions (cont.) 3. What types of certificates are stored on a router? Its own certificate The CAs certificate Two Registration Authority (RA) certificates (if the CA supports RA) Apply crypto maps to interfaces 4. How many CRL are stored on a router? One if the CA does not support RA Multiple CRL if the CA supports RA

© 1999, Cisco Systems, Inc. MCNS Review Questions (cont.) 5. What is the common element in every crypto map entry? A sequence number 6. Can a single crypto map entry support flows to multiple IPSec peers? Yes

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Lesson Addendum A Managing Multiple ISAKMP/IPSec Peers with Crypto Map Sets

© 1999, Cisco Systems, Inc. MCNS Creating Crypto Map Entries Every crypto map entry has a sequence number Crypto maps with the same name become crypto map sets –they are evaluated (address match) according to the sequence number

© 1999, Cisco Systems, Inc. MCNS Verifying Crypto Map Set Configuration To verify the configuration: routerA# show crypto map Crypto Map: s1first idb: Serial1/0 local address: Crypto Map s1first 1 ipsec-isakmp Peer = Extended IP access list 101 access-list 101 permit gre source: addr = / dest: addr = / Current peer: Security-association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets ={proposal1,}

© 1999, Cisco Systems, Inc. MCNS Applying Crypto Maps to Interfaces There are seven steps to apply a crypto map to an interface: 1. Specify the interface 2. Apply the crypto map to the interface 3. Exit to global configuration mode 4. Apply the crypto map to the tunnel interface 5. Exit to global configuration mode 6. In privileged EXEC mode, clear the existing IPSec SA

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Lesson Addendum B Creating Dynamic Crypto Maps

© 1999, Cisco Systems, Inc. MCNS Dynamic Crypto Map Operation Internet NAS Dialup Client DHCP Server IKE negotiation and dynamic crypto map Corporate Intranet Dialup user is authenticated using IKE, then processed using a dynamic crypto map –Authentication is against a Fully Qualified Domain Name (FQDM) –The SA request is processed against the dynamic crypto map –The DHCP server then issues an IP address to the dialup client

© 1999, Cisco Systems, Inc. MCNS Creating a Dynamic Crypto Map Use the following commands to create a dynamic crypto map: crypto dynamic-map set transform-set match address set peer set security-association lifetime seconds and/or set security-association lifetime kilobytes set pfs exit

© 1999, Cisco Systems, Inc. MCNS Add the Dynamic Crypto Map Set into a Regular (Static) Crypto Map Set routerA config# crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name crypto map remote peer map 10 ipsec-isakmp dynamic last-chance map crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name crypto map remote peer map 10 ipsec-isakmp dynamic last-chance map Used to create or modify a crypto map entry –Once a crypto map entry has been created, you cannot change the parameters specified at the global config level, since these parameters determine which of the config commands are valid at the crypto map level After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface configuration) command

© 1999, Cisco Systems, Inc. MCNS Apply a Dynamic Crypto Map Set to an Interface routerA config# crypto map map name crypto map primary crypto map crypto map map name crypto map primary crypto map This command applies a dynamic crypto map set to an interface This command specifies a redundant interface and names an identifying interface crypto map map-name local-address interface-id crypto map primary crypto map s0 crypto map map-name local-address interface-id crypto map primary crypto map s0

© 1999, Cisco Systems, Inc. MCNS Blank for pagination