10-31-2012 12:13 PM - edited 02-21-2020 06:27 PM
Has anyone been able to bring up a simple site to site IKEv2 IPSec VPN using the Microsoft AD CS on a Cisco ISR running IOS15.2?
We have not seen any examples of this type of configuration and have been trying to construct our configuration from the documentation.
10-31-2012 06:34 PM
I've not used IKEv2 on Cisco IOS routers yet (done that on Checkpoint firewall); however, I've been using Cisco IOS 12.4(24)T4 with Microsoft AD Certificate Server 2003 server (do not use 2008) for site-2-site VPN. It is very simple. here is the process:
- install Windows 2003 with IIS and Certificate Server,
- install scep.exe on windows 2003. This will allow the router to communicate with the IIS server using scep protocol over port 80, do NOT use scep challenge password,
- configure the MS CS to immediately issue the certificate,
here is the step how to get the router to communicate with the microsoft CS:
crypto ca trustpoint exchange2010
enrollment retry count 5
enrollment retry period 3
enrollment url http://192.168.70.129:80/certsrv/mscep/mscep.dll
crl optional
crypto ca authenticate exchange2010
crypto ca enroll exchange2010
Now you can go ahead and configure site-2-site VPN, instead of using "authentication pre-share" under crypto isakmp policy, you just leave it blank, because by default, it will use PKI as default.
Easy right?
here is what you will see on the router during the certificate authentication and enrollment:
c3845(config)#do term mon
c3845(config)#crypto ca trustpoint exchange2010
c3845(ca-trustpoint)# enrollment retry count 5
c3845(ca-trustpoint)# enrollment retry period 3
c3845(ca-trustpoint)# enrollment url http://192.168.70.129:80/certsrv/mscep/mscep.dll
c3845(ca-trustpoint)# crl optional
c3845(ca-trustpoint)#crypto ca authenticate exchange2010
Certificate has the following attributes:
Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11
Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
c3845(config)#crypto ca enroll exchange2010
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: c3845
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose exchange2010' commandwill show the fingerprint.
c3845(config)#
*Nov 1 02:16:15.726: CRYPTO_PKI: Certificate Request Fingerprint MD5: 11C23B80 FE62AFCC 794A516F 001DD3F8
*Nov 1 02:16:15.726: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 31BF71AE 85379C32 A9F5E001 05B7D8AF 6E30DBA2
c3845(config)#
*Nov 1 02:16:17.254: %PKI-6-CERTRET: Certificate received from Certificate Authority
c3845(config)#
c3845(config)#
c3845(config)#end
c3845#
c3845#show crypto pki certificate verbose exchange2010
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 15899F1F00000000000F
Certificate Usage: General Purpose
Issuer:
cn=exchange2010
dc=exchange2010
dc=com
Subject:
Name: c3845
hostname=c3845
CRL Distribution Points:
ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl
Validity Date:
start date: 01:20:51 UTC Nov 1 2012
end date: 01:20:51 UTC Nov 1 2014
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: CDF71E9F 5E5B0560 A48A9E32 62996644
Fingerprint SHA1: 82F3E9F1 BBBB9115 32156714 4623FEB1 308AC8C5
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 72DC04D4 343115B0 2DAEFAEF 36F23D29 9D432382
X509v3 Basic Constraints:
CA: FALSE
X509v3 Subject Alternative Name:
c3845
X509v3 Authority Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550
Authority Info Access:
Associated Trustpoints: exchange2010
Key Label: c3845
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 50271D7CD98632B74ABC894310D34244
Certificate Usage: Signature
Issuer:
cn=exchange2010
dc=exchange2010
dc=com
Subject:
cn=exchange2010
dc=exchange2010
dc=com
CRL Distribution Points:
ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl
Validity Date:
start date: 01:45:14 UTC Oct 24 2012
end date: 01:54:43 UTC Oct 24 2019
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11
Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: exchange2010
c3845#
11-16-2012 01:16 PM
Hi
here's an example of the config for a flex site-site using PKI that was enrolled to a MS CA (using EC not RSA). If you need RSA then you would use the following instead of ec that I used.
crypto ikev2 profile default
authentication local rsa
authentication remote rsa
<<>>
crypto pki trustpoint ecdh
enrollment terminal
revocation-check none
crypto pki certificate map certmap 10
subject-name co cisco.com
crypto ikev2 profile default
match certificate certmap
identity local dn
authentication remote ecdsa-sig
authentication local ecdsa-sig
pki trustpoint ecdh
aaa authorization group cert list default default
!
!
!
crypto ipsec transform-set ESP_GCM esp-gcm
mode transport
!
crypto ipsec profile default
set security-association lifetime seconds 200
set transform-set ESP_GCM
set pfs group5
set ikev2-profile default
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 10.10.10.2
tunnel protection ipsec profile default
Router1#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.10.10.1/500 10.10.10.2/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:24, Auth sign: ECDSA, Auth verify: ECDSA
Life/Active Time: 86400/109 sec
IPv6 Crypto IKEv2 SA
Router1#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 6156E3D5000000000009
Certificate Usage: Signature
Issuer:
cn=test2-WIN-H6ISUHVJM76-CA
dc=test2
dc=com
Subject:
Name: Router1.cisco.com
hostname=Router1.cisco.com
CRL Distribution Points:
ldap:///CN=test2-WIN-H6ISUHVJM76-CA,CN=WIN-H6ISUHVJM76,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=test2,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 14:18:51 JST Jul 5 2012
end date: 14:18:51 JST Jul 5 2014
Associated Trustpoints: ecdh
Storage: nvram:test2-WIN-H6#9.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 780887F0CDD97E9E49DB893FA5D74238
Certificate Usage: Signature
Issuer:
cn=test2-WIN-H6ISUHVJM76-CA
dc=test2
dc=com
Subject:
cn=test2-WIN-H6ISUHVJM76-CA
dc=test2
dc=com
Validity Date:
start date: 12:19:50 JST Jul 5 2012
end date: 12:29:49 JST Jul 5 2017
Associated Trustpoints: ecdh
Storage: nvram:test2-WIN-H6#4238CA.cer
11-16-2012 01:31 PM
Thank you! We'll try to construct our tunnel based on this. I'll post back with results.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide