problem with x.509 based IPSec between CISCO 1941 ISR and own AP

kiho.lee09 · ‎03-07-2016

HI all exports :)

I'm trying to x.509 based IPSec between CISCO 1941 router and my own AP.

I read a lot of documents about ipsec, but i still do not successful IPSec configuration in CISCO 1941 ISR.

I always blocked the steps,which are "crypto ca import [name of ca] certificate" and saw the message "Cannot import certificate -

Certificate does not contain router's General Purpose public key trust point" .

what's wrong with me?

Is there anything clearly solution these problems? or suggested the sites or other docs pleases..

I really really be dead tired.... please anybody help me!!!!!

p.s) Is it available x.509 based IPsec between CISCO 1941 ISR and my own ap?

and I using pem format file that is created by my key launcher.

Aditya Ganjoo · ‎03-07-2016

Hi,

May I know whether CSR was generated on the router ?

Normally the CSR for an ID certificate would have been done on the router, since like this the router uses a specific private RSA key for the certificate, and once the certificate is created it will match the key from the router and can then be installed.

If the CSR was not generated on the router, when you try to import this ID certificate it is failing since the certificate does not have the private key from the router, and the router is expecting it.

To overcome this we would need to install a pkcs12 certificate on the router, since this certificate contains both private and public keys, the extension for these certificates is ".p12" and these require a passphrase to be installed.

Did you receive any ID certificate on this format ?

Here are the steps importing a certificate on your cisco router.
:

Step 1. Verify that the Date, Time, and Time Zone Values are Accurate 

Router#sho clock
01:22:46.819 UTC Mon Jun 1 2009

Router#clock set 01:22:15 1 jun 2009

Step 2. Generate the RSA Key Pair 

Router#config t
Router(config)#crypto key generate rsa usage-keys label My-RSA modulus 1024
The name for the keys will be: My-RSA

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]


Step 3. Create the Trustpoint 

Router(config)#crypto pki trustpoint TEST
Router(ca-trustpoint)#enrollment terminal
Router(ca-trustpoint)#subject-name CN=xyz.cisco.com,OU=XYZ,O=CISCO,C=xyz
Router(ca-trustpoint)#fqdn ABC.xyz.cisco.com
Router(ca-trustpoint)# rsakeypair My-RSA
Router(ca-trustpoint)# exit

****************************************************************************
***********************************************
NOTE :

If we are no using CRL we need to disable it in the trustpoint:

crypto pki trustpoint <trustpoint-name>
   revocation-check none

****************************************************************************
***********************************************

Step 4. Authenticate the Trustpoint 


Router(config)#crypto pki authenticate TEST

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgIQcJnxmUdk4JxGUdqAoWt0nDANBgkqhkiG9w0BAQUFADBR
MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY2lzY28xFTAT
BgoJkiaJk/IsZAEZFgVUU1dlYjEMMAoGA1UEAxMDQ0ExMB4XDTA3MTIxNDA2MDE0
M1oXDTEyMTIxNDA2MTAxNVowUTETMBEGCgmSJomT8ixkARkWA2NvbTEVMBMGCgmS
JomT8ixkARkWBWNpc2NvMRUwEwYKCZImiZPyLGQBGRYFVFNXZWIxDDAKBgNVBAMT
A0NBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOqP7seuVvyiLmA9
BSGzMz3sCtR9TCMWOx7qM8mmiD0o7OkGApAvmtHrK431iMuaeKBpo5Zd4TNgNtjX
bt6czaHpBuyIsyoZOOU1PmwAMuiMAD+mL9IqTbndosJfy7Yhh2vWeMijcQnwdOq+
Kx+sWaeNCjs1rxeuaHpIBTuaNOckueBUBjxgpJuNPAk1G8YwBfaTV4M7kZf4dbQI
y3GoFGmh8zGx6ys1DEaUQxRVwhDbMIvwqYBXWKh4uC04xxQmr//Sct1tdWQcvk2V
uBwCsptW7C1akTqfm5XK/d//z2eUuXrHYySQCfoFyk1vE6/Qlo+fQeSSz+TlDhXx
wPXRO18CAwEAAaOCAW8wggFrMBMGCSsGAQQBgjcUAgQGHgQAQwBBMAsGA1UdDwQE
AwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTZrb8I8jqI8RRDL3mYfNQJ
pAPlWDCCAQMGA1UdHwSB+zCB+DCB9aCB8qCB74aBtWxkYXA6Ly8vQ049Q0ExLENO
PVRTLVcySzMtQUNTLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPVRTV2ViLERDPWNpc2NvLERD
PWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9
Y1JMRGlzdHJpYnV0aW9uUG9pbnSGNWh0dHA6Ly90cy13MmszLWFjcy50c3dlYi5j
aXNjby5jb20vQ2VydEVucm9sbC9DQTEuY3JsMBAGCSsGAQQBgjcVAQQDAgEAMA0G
CSqGSIb3DQEBBQUAA4IBAQAavFpAsyESItqA+7sii/5L+KUV34/DoE4MicbXJeKr
L6Z86JGW1Rbf5VYnlTrqRy6HEolrdU6cHgHUCD9/BZWAgfmGUm++HMljnW8liyIF
DcNwxlQxsDT+n9YOk6bnG6uOf4SgETNrN8EyYVrSGKOlE+OC5L+ytJvw19GZhlzE
lOVUfPA+PT47dmAR6Uo2V2zDW5KGAVLU8GsrFd8wZDPBvMKCgFWNcNItcufu0xlb
1XXc68DKoZY09pPq877uTaou8cLtuiiPOmeOyzgJ0N+xaZx2EwGPn149zpXv5tqT
9Ms7ABAu+pRIoi/EfjQgMSQGFl457cIH7dxlVD+p85at
-----END CERTIFICATE-----
quit


!--- Manually pasted certificate into CLI.


Certificate has the following attributes:
       Fingerprint MD5: 98D66001 F65D98A2 B455FBCE D672C24A
      Fingerprint SHA1: F9E64DE0 F966B022 7BC5DB56 22942F84 7558AC40

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.
% Certificate successfully imported


Step 5. Generate the Certificate Enrollment for the identity certificate

Router(config)#crypto pki enroll TEST
% Start certificate enrollment ..

% The subject name in the certificate will include:
CN=xyz.cisco.com,OU=XYZ,O=CISCO,C=xyz
% The subject name in the certificate will include: ABC.xyz.cisco.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Signature key certificate request -
Certificate Request follows:

MIIB5TCCAU4CAQAwgYMxCzAJBgNVBAYTAkNSMRUwEwYDVQQKEwxDSVNDTyBUQUMt
Q1IxDjAMBgNVBAsTBUNSVlBOMRgwFgYDVQQDEw9jcnZwbi5jaXNjby5jb20xMzAP
BgNVBAUTCDdEQTNBRDNFMCAGCSqGSIb3DQEJAhYTY3ZzLmNydnBuLmNpc2NvLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArJrDoUV4zmpMjtNlu/RdUULC
4gI15qboYLhwxdfVOoK7Jua3o8L34uQafhRzy6nQDgFJCg/kkIsOaGge3U/JZIfZ
d9NjXB8Pc71LdUl7OptfOcVUiFxgq0rOuDsfXVUDqwptFYTbK1LXxsrN1LulZEht
myZmDwVAe+4rz/VqyiMCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/
BAQDAgeAMA0GCSqGSIb3DQEBBAUAA4GBAJlXpDABK3ygfmlgC0BBQSqLYolY8MTE
WiA1bYUFdE9j6RTdhcNTW1SxHzH4fQn+f/+4I/O7A6Et52LpFTf9fRsrszL4LG9O
HjazYXGygRNQ9DrUzpMARwx4lqwWE/mfWvgqw8PaTIbmlwhoe/DTOkJFehonqmMJ
2U0Yukz62kFX

---End - This line not part of the certificate request---


Redisplay enrollment request? [yes/no]: no


Step 6. Install the Certificate you got from the CA server based on previous
request.


Router(config)#crypto pki import TEST certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIFtzCCBJ+gAwIBAgIKFzHrEQAAAAABaDANBgkqhkiG9w0BAQUFADBZMRMwEQYK
CZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY3J0YWMxEzARBgoJkiaJ
k/IsZAEZFgN2cG4xFjAUBgNVBAMTDVZQTi1TRVJWRVItMDEwHhcNMDkwNjAyMDE0
NTU0WhcNMTEwNjAyMDE0NTU0WjByMSIwIAYJKoZIhvcNAQkCExNjdnMuY3J2cG4u
Y2lzY28uY29tMQswCQYDVQQGEwJDUjEVMBMGA1UEChMMQ0lTQ08gVEFDLUNSMQ4w
DAYDVQQLEwVDUlZQTjEYMBYGA1UEAxMPY3J2cG4uY2lzY28uY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCsmsOhRXjOakyO02W79F1RQsLiAjXmpuhguHDF
19U6grsm5rejwvfi5Bp+FHPLqdAOAUkKD+SQiw5oaB7dT8lkh9l302NcHw9zvUt1
SXs6m185xVSIXGCrSs64Ox9dVQOrCm0VhNsrUtfGys3Uu6VkSG2bJmYPBUB77ivP
9WrKIwIDAQABo4IC6jCCAuYwCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBQMK8Ej5uJ/
Qqrdno//VlgLcU+UmzAfBgNVHSMEGDAWgBT+U1Q0eFOwcQ8BtwQdBwI3DIhNzDCC
ARwGA1UdHwSCARMwggEPMIIBC6CCAQegggEDhoG/bGRhcDovLy9DTj1WUE4tU0VS
VkVSLTAxLENOPVZQTi1TRVJWRVItMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9dnBuLERD
PWNydGFjLERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2Jq
ZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGP2h0dHA6Ly92cG4tc2VydmVy
LTAxLnZwbi5jcnRhYy5jb20vQ2VydEVucm9sbC9WUE4tU0VSVkVSLTAxLmNybDCC
AS8GCCsGAQUFBwEBBIIBITCCAR0wgbEGCCsGAQUFBzAChoGkbGRhcDovLy9DTj1W
UE4tU0VSVkVSLTAxLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXZwbixEQz1jcnRhYyxEQz1j
b20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
dXRob3JpdHkwZwYIKwYBBQUHMAKGW2h0dHA6Ly92cG4tc2VydmVyLTAxLnZwbi5j
cnRhYy5jb20vQ2VydEVucm9sbC9WUE4tU0VSVkVSLTAxLnZwbi5jcnRhYy5jb21f
VlBOLVNFUlZFUi0wMS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2
AGUAcjAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
DQEBBQUAA4IBAQBufe9d1pHZaSocxXhIfBFJx++xCAMlDZRB3/X0AfopT1B/E+kp
ntV+lIxbIQcOvyjkbvTY25zCdIOKhdH+TtEDPdQrzt79FWemhX7L25RZiWt1Nog4
4FzxPDYm0PEXKreWCXvvnq2KqXUsJmn2hxXctq9WX/t/PSP/+r3d3mqL8okMgBn/
O4Pn+A1xCk5WOZyue99vdocKAlS6LCvqs3n2++k4v/MinuGVeuasoZKM9eKlQKwW
I74BIBbdlucDdV1VWzqrlV5LGE/izkvfPbQsAVlJ4DWBz4NddsBIma/xrg9Ut0h5
K/HTKYjvbq+v395Azo6vNShjJcJWcXqZYpyO
-----END CERTIFICATE-----
quit
Received General Purpose certificate for signature keypair

Do you wish to accept this certificate? [yes/no]: yes
% Router Certificate successfully imported

Regards,

Aditya

Please rate helpful posts.

kiho.lee09 · ‎03-07-2016

hi, aditya

Thanks for your hospitable help.

I was followed your comments, but still had a problem and confused about

the step 6. (and I just doing all steps in the terminal environment.)

Please more detail explained for me about the step 6?(I'm just beginner in the

IPSec and using the cisco device): )

and It may be occur the problem different valid time?

I set my cisco clock, followed step 1. but, when i commanded "do show crypto pki certificates" and the message

=================================================

Validity Date:
start date: 23:43:43 UTC Mar 7 2016
end date: 17:15:27 UTC Jan 18 1930
Associated Trustpoints: TestTP

==================================================

did you think that making the problem?

PS1) when i tried to import CA, debug message that "Mar 8 01:27:54.327: CRYPTO_PKI: status = 65535: failed to verify or insert the cert into storage"

PS2) AS a result, I want to IPsec based X.509 between my own AP and CISCO 1941 ISR like below figure1.1.

Figure 1.1) AP-CISCO 1941 ISR

Thanks again, for your help :)