Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
0
Helpful
1
Replies

IOS Based Certification Authority

trustcisco
Level 1
Level 1

‎01-28-2011 01:59 AM

Hello,

I have tried the following configuration in my lab for a RSA-SIN site-to-site VPN with one of the routers acting as the hub/ca. Although it is working, i would like you to comment the configuration on how to make it better from security perspective, suggest best practices about IOS CA from real world experience etc.

Configuration:

Hub Configuration:

hostname hub1

ip domain-name cisco.com

ip http-server

ntp master 2

crypto key generate rsa general-keys label IOSCA modulus 1024 exportable

// do i also need to issue the crypto key export rsa IOSCA  command ? i have read several examples where they export the keys and then import them to the same router, is this correct ?

crypto pki server IOSCA
database archive pkcs12 password 0 cisco 123
issuer-name CN=IOSCA.cisco.com,L=San Jose,C=US
grant auto
lifetime crl 200
lifetime certificate 1800
lifetime ca-certificate 1800

crypto pki trustpoint hub

enrollement url http://172.16.12.1:80
  serial-number
  revocation-check crl none
  rsakeypair IOSCA

crypto isakmp policy 10
encr aes
group 2

crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 10.10.10.5
set transform-set myset
match address 100

interface FastEthernet0/0
ip address 172.16.12.1 255.255.255.0
crypto map mymap

access-list 100 permit ip host 172.16.13.1 host 10.10.5.5

Spoke Configuration :

hostname spoke

ip domain-name cisco.com

ntp server 172.16.12.1

crypto key generate rsa general-keys

crypto pki trustpoint hq
enrollment url http://172.16.12.1:80
serial-number
revocation-check crl none

crypto isakmp policy 10
encr aes
group 2

crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto map mymap 10 ipsec-isakmp
set peer 172.16.12.1
set transform-set myset
match address 100

interface FastEthernet0/0
ip address 10.10.10.5 255.255.255.0
crypto map mymap

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

ramds
Level 1
Level 1

‎01-31-2011 11:29 PM

Hello TrustCisco,

The config you have is perfectly secure and there is no need to export the keys and then import it as its just a overhead and doen't achieve anything specific.

As a best practice you can use another device as the CA server rather than this one as its again a burden on the device when multiple clients are involved.

Hope this helps.

--

Ramya

--Please rate the solutions.

0 Helpful
Customers Also Viewed These Support Documents