cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11901
Views
13
Helpful
10
Replies

VPN Site to Site with IPSec and CA Certificates

carlosdico
Level 1
Level 1

Hi,

I have to configure a VPN tunnel site to site with IPSec and CA certificate but when I try to paste the certificate the router give me an error.

I have two certificates of the other side of the IPSec tunnel.

I couldn't find a howto to implement this configuration.

Some one know some tutorial for a configuration like this?

Thanks.

10 Replies 10

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hi Carlos ,

what is the error you are seeing when pasting the certificate ? what are the steps you are using to enroll the router ?

you can check this :

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html

Hope that this helps .

Mohammad.

Hi Mohammad

Thanks for your reply. The problem with the certificate was that can't copy all the certificate at the same time. I had to copy line by line.

Now I have another issue. I create this:

Phase 1:

!

crypto isakmp policy 10

authentication rsa-sig

encr 3des

hash md5

group 2

!

But I don't know how assign the CA Certitifacte for this configuration.

I took a test in packettracert with pre-share keys and works fine but, how can I use rsa-sig?

Eg: crypto isakmp key "passwd123" address "192.168.0.2"

Phase 2:

crypto ipsec transform-set SET esp-3des esp-md5-hmac

Here is how to do it:

1- have a windows 2003 Server with iis installed,

2- install Certificate Authority (CA) service on the Windows 2003,

3- install microsoft SCEP,

4- Configure the Certificate Authority to issue certificate immediately.

on the router, do this:

1- assign a hostname,

2- assign domain-name

3- generate a crypto rsa key

4- the following commands on both routers:

crypto pki trustpoint cciesec

  enrollment url http://ip-address-of-the-windows-2003:80/certsrv/mscep/mscep.dll

  no revocation-check

  exit

crypto pki authenticate cciesec

crypto pki enroll cciesec

now your routers can do IPSec with each other via certificates.

Easy right?

Thank David,

Could I not do that without Windows 2003 Server? I only know one part of the tunnel. The other side is configured with its digital certificates. I think it are the same that I have.

Could I not use the router as CA server?

I only have one Cisco 887 and 2 computers with XP. This not enough?

I have never had to use router as CA server but it can be done because the concept is the same.  However, if you're going to use the router as a CA server, it has to be a dedicated router.  The CA server can not be on the same router that terminates VPN.  I could be wrong on that part but that how I remember it.

Carlos; you can use a router as a CA server, I hve a practice lab that I made that has something similar to what you are looking for. Instead of a site-to-site VPN my lab uses a GRE-over-IPSec tunnel.

Here is the network diagram and configs:

1. First configure all of the requirements (routing, interfaces, NTP, generating certificates, CA server, etc.)

- CA router -

hostname CA-RTR

!

ip domain name TEST

!

ntp master

!

ip ssh ver 2

!

crypto key generate rsa general-keys label CA-RTR modulus 2048 exportable

!

crypto key export rsa CA-RTR pem url nvram: 3des !Q@W#E$R5t

!

ip http server

!

crypto pki server CA-SVR

database url nvram:

issuer-name CN=CA-SVR.CA-RTR.TEST

lifetime ca-certificate 365

no shut

!

interface Loopback0

ip address 10.10.0.0 255.255.255.255

!

interface FastEthernet0/0

ip address 192.168.255.1 255.255.255.254

speed 100

full-duplex

no shut

!

interface FastEthernet0/1

ip address 192.168.255.2 255.255.255.254

speed 100

full-duplex

no shut

!

interface FastEthernet0/1

ip address 192.168.255.2 255.255.255.254

speed 100

full-duplex

no shut

!

end

- RTR1 -

hostname RTR1

!

ip domain name TEST

!

interface Loopback0

ip address 10.10.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 192.168.255.0 255.255.255.254

speed 100

duplex full

no shut

!

interface FastEthernet0/1

ip address 192.168.255.4 255.255.255.254

speed 100

duplex full

!

interface Tunnel0

ip address 172.16.255.0 255.255.255.254

keepalive 10 3

tunnel source 192.168.255.4

tunnel destination 192.168.255.5

!

ip route 0.0.0.0 0.0.0.0 192.168.255.1

!

ntp server 10.10.0.0

!

ip ssh ver 2

!

crypto key generate rsa modulus 2048

!

crypto pki trustpoint CA-SVR

enrollment url http://10.10.0.0:80

revocation-check none

!

crypto pki auth CA-SVR

!

crypto pki enroll CA-SVR

!

end

- RTR2 -

hostname RTR2

!

ip domain name TEST

!

interface Loopback0

ip address 10.10.2.1 255.255.255.0

!

interface FastEthernet0/0

ip address 192.168.255.3 255.255.255.254

speed 100

duplex full

no shut

!

interface FastEthernet0/1

ip address 192.168.255.5 255.255.255.254

speed 100

duplex full

no shut

!

interface Tunnel0

ip address 172.16.255.1 255.255.255.254

keepalive 10 3

tunnel source 192.168.255.5

tunnel destination 192.168.255.4

!

ip route 0.0.0.0 0.0.0.0 192.168.255.2

!

ntp server 10.10.0.0

!

ip ssh ver 2

!

crypto key generate rsa modulus 2048

!

crypto pki trustpoint CA-SVR

enrollment url http://10.10.0.0:80

revocation-check none

!

crypto pki auth CA-SVR

!

crypto pki enroll CA-SVR

!

end

2. After the CA server is running, finish configuring the remaining routers.

   a. In a real network, before accepting a certificate from the CA server, you should make sure that the Fingerprint

       MD5 certificate matches the one that is displayed on the CA-RTR after entering the following command:

          show crypto pki server

   b. On the CA-RTR view and grant the pending certifcates by entering the following commands:

          crypto pki server CA-SVR info requests

          crypto pki server CA-SVR info grant all

- RTR 1 -

ip access-list extended VPN-TRAFFIC

permit gre host 192.168.255.4 host 192.168.255.5

!

crypto ikev2 proposal PHASE-1

encryption aes-cbc-256

integrity sha256

group 14

!

crypto ikev2 policy VPN-POLICY

proposal PHASE-1

!

crypto ikev2 profile RTR1-RTR2-PROFILE

match identity remote fqdn RTR2.TEST

identity local fqdn RTR1.TEST

authentication remote rsa-sig

authentication local rsa-sig

pki trustpoint CA-SVR

!

crypto ipsec transform-set PHASE-2 esp-aes 256 esp-sha256-hmac

mode tunnel

!

crypto map VPN-MAPS 10 ipsec-isakmp

set peer 192.168.255.5

set transform-set PHASE-2

set ikev2-profile RTR1-RTR2-PROFILE

match address VPN-TRAFFIC

!

interface FastEthernet0/1

crypto map VPN-MAPS

!

end

- RTR2 -

ip access-list extended VPN-TRAFFIC

permit gre host 192.168.255.5 host 192.168.255.4

!

crypto ikev2 proposal PHASE-1

encryption aes-cbc-256

integrity sha256

group 14

!

crypto ikev2 policy VPN-POLICY

proposal PHASE-1

!

crypto ikev2 profile RTR2-RTR1-PROFILE

match identity remote fqdn RTR1.TEST

identity local fqdn RTR2.TEST

authentication remote rsa-sig

authentication local rsa-sig

pki trustpoint CA-SVR

!

crypto ipsec transform-set PHASE-2 esp-aes 256 esp-sha256-hmac

mode tunnel

!

crypto map VPN-MAPS 10 ipsec-isakmp

set peer 192.168.255.4

set transform-set PHASE-2

set ikev2-profile RTR2-RTR1-PROFILE

match address VPN-TRAFFIC

!

interface FastEthernet0/1

crypto map VPN-MAPS

!

end

-You can test the configuration by doing an extended ping from RTR1's loopback interface to RTR2's loopback interface:

          ping 172.16.255.1 source 172.16.255.0

Hello  jorgeramos78

Is it mandatory to copy the Cetificate from one router to another one ?

I tried your configuration on my 3800 routers but the router doesn't give to configure what is ikev2 ?

thanks

Roee

Sorry, but I don't work on security full-time so I am not 100% sure if it is mandatory to copy the certificate from router to router. The example that I posted was just a proof of concept.

Regarding IKEv2; I am not sure if 3800 series routers support it. The new integrated service router do support it, but you need to be using the correct IOS version and possibly purchase the appropriate license.

Hi David,  Can u pls provide me the steps to configure CA & SCEP on Windows 2003 server.  Also how to configure the Certificate Authority to issue certificate.  Awaiting your reply.

frankcrawford
Level 1
Level 1

I suspect the cert is not printable probable UTF8 string. Make sure your cert is a printable cert string you are putting on a cisco device.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: