cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
282
Views
0
Helpful
2
Replies
Beginner

Router to Router IKEv2 VPN using Certificates - Auto-enroll

Hi,

 

I have an IKEv2 site to site VPN on real tin and modelled in GNS3.   Router A is the CA and also a peer and Router B is the other peer.  I am using static VTI and manually authenticating and enrolling to obtain the certificates used in the VPN.  By manual I mean it still uses the http/url method but I enter the commands for 'authenticate' and 'enroll' myself  on the cli.   Using this method both on the real routers and in GNS3 it all works fine and the tunnel comes up and data is encrypted.   However, I need to get this working automatically and have been trying to use the auto-enroll regenerate command in the trustpoint configuration.    In GNS3 when I do this it seems to work as far as generating a key pair and then obtaining the certificate but the tunnel will not come up.   The config I am using (in GNS) is shown below.  Any help or ideas would be appreciated. 

 

### Router A  - CA and peer ###

 

cry key gen rsa gen lab CA_SERVER mod 2048
crypto pki server CA_SERVER
issuer-name CN=routerA.dingbats.com
grant auto
no shut
[enter password = cisco123]

 

crypto pki trustpoint RouterA_CA
enrollment url http://10.7.7.1:80
subject-name C=GB, ST=Gloucestershire, O=Dingbats Net, OU=Access Control, CN=RouterA.peer.dingbats.com
revocation-check none
password cisco123
rsakeypair RA_Identity 2048 2048
auto-enroll regenerate
cry pki authenticate RouterA_CA

 

### Router A - crypto / vti stuff ###

 

crypto ikev2 proposal IKEv2_PROPOSAL
encryption aes-cbc-256 aes-cbc-192 3des
integrity sha512 sha256 md5
group 19
!
crypto ikev2 policy IKEv2_POLICY
proposal IKEv2_PROPOSAL

crypto pki certificate map IDENTITY_MAP 10
subject-name co o = Dingbats Net

crypto ikev2 profile IKEv2_PROFILE
match certificate IDENTITY_MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint RouterA_CA

crypto ipsec transform-set IPSEC_TRANSFORM1 esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set IPSEC_TRANSFORM1
set ikev2-profile IKEv2_PROFILE

interface Tunnel0
description ===SVTI INTERFACE===
ip address 192.168.12.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Ethernet0/1
tunnel mode ipsec ipv4
tunnel destination 10.8.7.11
tunnel protection ipsec profile IPSEC_PROFILE
no shut

ip route 192.168.2.0 255.255.255.0 tun0

 

### Router B  PKI stuff - peer ###

crypto pki trustpoint RouterB_CA
enrollment url http://10.7.7.1:80
subject-name C=GB, ST=Gloucestershire, O=Dingbats Net, OU=Access Control, CN=RouterB.peer.dingbats.com
revocation-check none
password cisco123
rsakeypair RB_Identity 2048 2048
auto-enroll regenerate
cry pki authenticate RouterB_CA

 

### Router B - crypto / vti stuff ###

 

crypto ikev2 proposal IKEv2_PROPOSAL
encryption aes-cbc-256 aes-cbc-192 3des
integrity sha512 sha256 md5
group 19
!
crypto ikev2 policy IKEv2_POLICY
proposal IKEv2_PROPOSAL

crypto pki certificate map IDENTITY_MAP 10
subject-name co o = Dingbats Net

crypto ikev2 profile IKEv2_PROFILE
match certificate IDENTITY_MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint RouterB_CA

crypto ipsec transform-set IPSEC_TRANSFORM1 esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set IPSEC_TRANSFORM1
set ikev2-profile IKEv2_PROFILE

interface Tunnel0
description ===SVTI INTERFACE===
ip address 192.168.12.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Ethernet0/1
tunnel mode ipsec ipv4
tunnel destination 10.7.7.1
tunnel protection ipsec profile IPSEC_PROFILE
no shut

ip route 192.168.1.0 255.255.255.0 tun0

 

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: Router to Router IKEv2 VPN using Certificates - Auto-enroll

Hello

 

I think you need to configure your CA server to auto renew and auto-grand new certificate requrests

 

crypto pki server ios-ca

grant auto rollover ca-cert
grant auto
lifetime certificate 0 1 <-- use these values accordingly
lifetime ca-certificate 0 2 <-- use these values accordingly

 

This was also from  GNS3 
auto-rollover 0 0 30 <-- use these values accordingly


!

2 REPLIES 2
Highlighted
Beginner

Re: Router to Router IKEv2 VPN using Certificates - Auto-enroll

Hello

 

I think you need to configure your CA server to auto renew and auto-grand new certificate requrests

 

crypto pki server ios-ca

grant auto rollover ca-cert
grant auto
lifetime certificate 0 1 <-- use these values accordingly
lifetime ca-certificate 0 2 <-- use these values accordingly

 

This was also from  GNS3 
auto-rollover 0 0 30 <-- use these values accordingly


!

Beginner

Re: Router to Router IKEv2 VPN using Certificates - Auto-enroll

Thanks for that very useful information and I have used this to set up lifetimes and auto-renew which now works in GNS3.    I did however, spot for some reason the root cause which was that a line under the IKEv2 profile identifying which trustpoint to use was missing on one side. I missed this completely during troubleshooting (could not see the wood for the trees I suppose).   Not sure how this happened but note to self to double check all crypto config after making changes.   Thanks again!