Introduction:

This document provides step-by-step instructions on how to configure site to site between 2 Cisco IOS router using the ISAKMP profile and USING Certificate from the Cisco IOS  CA server.In this document i will show you how to configure Cisco IOS router as a CA server and other router will get the certificate using auto enrollment.

This  document requires a basic understanding of Site to Site VPN configuration on the Cisco IOS router. 

Components Used:

Cisco 2691 Version 12.4(15)T14

I have used the same router for CA server and Site to Site VPN router.

Network Diagram:

Configure Cisco IOS router as a CA server.

1. Make sure hostname and the time is correct on the CA server.

2. Generate the RSA keys:

crypto key generate rsa general-keys label CA exportable

The name for the keys will be: CA

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be exportable...[OK]

Sep 26 12:18:43.635: %SSH-5-ENABLED: SSH 1.99 has been enabled.

3. Export the keys to the nvram:

crypto key export rsa CA pem url nvram: 3des cisco123

% Key name: CA

Usage: General Purpose Key

Exporting public key...

Destination filename [CA.pub]?

% File 'CA.pub' already exists.

% Do you really want to overwrite it? [yes/no]: yes

Writing file to nvram:CA.pub

Exporting private key...

Destination filename [CA.prv]?

% File 'CA.prv' already exists.

% Do you really want to overwrite it? [yes/no]: yes

Writing file to nvram:CA.prv

4. Enable the certificate server:

crypto pki server CA

issuer-name CN=CA.mydomain.com L=RTP C=US

grant auto

lifetime crl 24

lifetime certificate 300

lifetime ca-certificate 365

cdp-url http://37.37.37.37/CA.cdp.CA.crl

no shut

%PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.

%Some server settings cannot be changed after CA certificate generation.

% Please enter a passphrase to protect the private key

% or type Return to exit

Password: cisco123

Re-enter password: cisco123

% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.

%PKI-6-CS_ENABLED: Certificate server now enabled.

Configuration of Site 1:

**Make sure time, hostname and domian-name is correct.

1. Generate the crypto RSA keys:

crypto key generate rsa

The name for the keys will be: india.mydomain.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

%SSH-5-ENABLED: SSH 1.99 has been enabled

2. Configure the trust-point for the auto-enrollment:

crypto ca trustpoint l2l

enrollment retry count 5

enrollment retry period 3

enrollment url http://37.37.37.37:80

revocation-check none

exit

3. Authenticate and Enoll the router to get the certificate from the CA server:

crypto ca authenticate l2l

Certificate has the following attributes:

       Fingerprint MD5: CD66EFFE A22C2FE6 DBE3361B F1A0BFFD

      Fingerprint SHA1: 2BC6E500 F0142832 4DC78D77 8976A2FF 2A5F47C0

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

crypto ca enroll l2l

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

Password: cisco123

Re-enter password: cisco123

% The subject name in the certificate will include: india.mydomain.com

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]:

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto ca certificate l2l verbose' commandwill show the fingerprint.

Sep 26 11:00:57.729: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 92916D78 3D902FEA C82B6BC3 62262801

Sep 26 11:00:57.737: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: F9C8C5AD 9BE70B07 9C8DA166 574DE280 03B5B7B0

Sep 26 11:00:59.461: %PKI-6-CERTRET: Certificate received from Certificate Authority

4. Configure the router for the Site to Site VPN:

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

!

!

crypto isakmp profile testvpn

   self-identity fqdn

   ca trust-point l2l

   match identity host london.mydomain.com

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

!

access-list 110 permit ip 192.168.47.0 0.0.0.255 192.168.57.0 0.0.0.255

!

!

crypto map outside_map 1 ipsec-isakmp

set peer 57.57.57.1

set transform-set myset

set isakmp-profile testvpn

match address 110

!

!

interface FastEthernet0/0

ip address 47.47.47.1 255.255.255.0

crypto map outside_map

!

!

end

Configuration of Site 2.:

1. Make sure hostname and the time is correct on the CA server.

2. Generate the RSA keys:

crypto key generate rsa

The name for the keys will be: london.mydomain.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take   a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

%SSH-5-ENABLED: SSH 1.99 has been enabled

3. Configure the trust-point for the auto-enrollment:

crypto ca trustpoint l2l

enrollment retry count 5

enrollment retry period 3

enrollment url http://37.37.37.37:80

revocation-check none

exit

4. Authenticate and Enoll the router to get the certificate from the CA server:

crypto ca authenticate l2l

Certificate has the following attributes:

       Fingerprint MD5: CD66EFFE A22C2FE6 DBE3361B F1A0BFFD

      Fingerprint SHA1: 2BC6E500 F0142832 4DC78D77 8976A2FF 2A5F47C0

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

crypto ca enroll l2l

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

Password: cisco123

Re-enter password:cisco123

% The subject name in the certificate will include: london.mydomain.com

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]:

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto ca certificate l2l verbose' command will show the fingerprint.

Sep 26 11:07:12.067: CRYPTO_PKI:  Certificate Request Fingerprint MD5: A2C865C1 8306C98A E597A3D5 F9C5D13C

Sep 26 11:07:12.075: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 6C7A55D0 91C033F6 B92321C5 8FB837F8 B4CF81E4

Sep 26 11:07:13.751: %PKI-6-CERTRET: Certificate received from Certificate Authority

5. Configure the router for the Site to Site VPN:

hostname london

!

!

ip domain name mydomain.com

!

!

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

!

crypto isakmp profile testvpn

   self-identity fqdn

   ca trust-point l2l

   match identity host india.mydomain.com

!

!

crypto map outside_map 10 ipsec-isakmp

set peer 47.47.47.1

set transform-set myset

set isakmp-profile testvpn

match address 110

!

!

interface FastEthernet0/0

ip address 57.57.57.1 255.255.255.0

crypto map outside_map

!

!

end

Show Outputs:

Site 1:

show crypto isakmp sa

IPv4 Crypto ISAKMP SA

          dst             src             state             conn-id slot      status

57.57.57.1      47.47.47.1      QM_IDLE           1014    0    ACTIVE

show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

F - IKE Fragmentation

Interface: FastEthernet0/0

Profile: testvpn

Session status: UP-IDLE

Peer: 57.57.57.1 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: london.mydomain.com

      Desc: (none)

  IKE SA: local 47.47.47.1/500 remote 57.57.57.1/500 Active

          Capabilities:(none) connid:1014 lifetime:08:28:00

  IPSEC FLOW: permit ip 192.168.47.0/255.255.255.0 192.168.57.0/255.255.255.0

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 23 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 23 drop 31 life (KB/Sec) 0/0

Site 2:

show crypto isakmp sa

IPv4 Crypto ISAKMP SA

         dst             src             state              c   onn-id slot    status

57.57.57.1      47.47.47.1      QM_IDLE           1014    0    ACTIVE

show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

F - IKE Fragmentation

Interface: FastEthernet0/0

Profile: testvpn

Session status: UP-IDLE

Peer: 47.47.47.1 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: india.mydomain.com

      Desc: (none)

  IKE SA: local 57.57.57.1/500 remote 47.47.47.1/500 Active

          Capabilities:(none) connid:1014 lifetime:08:26:22

  IPSEC FLOW: permit ip 192.168.57.0/255.255.255.0 192.168.47.0/255.255.255.0

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 23 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 23 drop 1 life (KB/Sec) 0/0

Debugs and runnig configurations are attached.

I hope this document was helpful

Thanks

Jeet Kumar