cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1499
Views
0
Helpful
3
Replies
pjetupjetu
Beginner

Site to Site FlexVPN w/Certificates IOS 15.2

Has anyone been able to bring up a simple site to site IKEv2 IPSec VPN using the Microsoft AD CS on a Cisco ISR running IOS15.2?

We have not seen any examples of this type of configuration and have been trying to construct our configuration from the documentation.

3 REPLIES 3
david.tran
Enthusiast

I've not used IKEv2 on Cisco IOS routers yet (done that on Checkpoint firewall); however, I've been using Cisco IOS 12.4(24)T4 with Microsoft AD Certificate Server 2003 server (do not use 2008) for site-2-site VPN.  It is very simple.  here is the process:

- install Windows 2003 with IIS and Certificate Server,

- install scep.exe on windows 2003.  This will allow the router to communicate with the IIS server using scep protocol over port 80, do NOT use scep challenge password,

- configure the MS CS to immediately issue the certificate,

here is the step how to get the router to communicate with the microsoft CS:

crypto ca trustpoint exchange2010

enrollment retry count 5

enrollment retry period 3

enrollment url http://192.168.70.129:80/certsrv/mscep/mscep.dll

crl optional

crypto ca authenticate exchange2010

crypto ca enroll exchange2010

Now you can go ahead and configure site-2-site VPN, instead of using "authentication pre-share" under crypto isakmp policy, you just leave it blank, because by default, it will use PKI as default.

Easy right?

here is what you will see on the router during the certificate authentication and enrollment:

c3845(config)#do term mon

c3845(config)#crypto ca trustpoint exchange2010

c3845(ca-trustpoint)# enrollment retry count 5

c3845(ca-trustpoint)# enrollment retry period 3

c3845(ca-trustpoint)# enrollment url http://192.168.70.129:80/certsrv/mscep/mscep.dll

c3845(ca-trustpoint)# crl optional

c3845(ca-trustpoint)#crypto ca authenticate exchange2010

Certificate has the following attributes:

       Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11

      Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

c3845(config)#crypto ca enroll exchange2010

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: c3845

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose exchange2010' commandwill show the fingerprint.

c3845(config)#

*Nov  1 02:16:15.726: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 11C23B80 FE62AFCC 794A516F 001DD3F8

*Nov  1 02:16:15.726: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 31BF71AE 85379C32 A9F5E001 05B7D8AF 6E30DBA2

c3845(config)#

*Nov  1 02:16:17.254: %PKI-6-CERTRET: Certificate received from Certificate Authority

c3845(config)#

c3845(config)#

c3845(config)#end

c3845#

c3845#show crypto pki certificate verbose exchange2010

Certificate

  Status: Available

  Version: 3

  Certificate Serial Number (hex): 15899F1F00000000000F

  Certificate Usage: General Purpose

  Issuer:

    cn=exchange2010

    dc=exchange2010

    dc=com

  Subject:

    Name: c3845

    hostname=c3845

  CRL Distribution Points:

    ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

    http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl

  Validity Date:

    start date: 01:20:51 UTC Nov 1 2012

    end   date: 01:20:51 UTC Nov 1 2014

  Subject Key Info:

    Public Key Algorithm: rsaEncryption

    RSA Public Key: (512 bit)

  Signature Algorithm: SHA1 with RSA Encryption

  Fingerprint MD5: CDF71E9F 5E5B0560 A48A9E32 62996644

  Fingerprint SHA1: 82F3E9F1 BBBB9115 32156714 4623FEB1 308AC8C5

  X509v3 extensions:

    X509v3 Key Usage: A0000000

      Digital Signature

      Key Encipherment

    X509v3 Subject Key ID: 72DC04D4 343115B0 2DAEFAEF 36F23D29 9D432382

    X509v3 Basic Constraints:

        CA: FALSE

    X509v3 Subject Alternative Name:

        c3845

    X509v3 Authority Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550

    Authority Info Access:

  Associated Trustpoints: exchange2010

  Key Label: c3845

CA Certificate

  Status: Available

  Version: 3

  Certificate Serial Number (hex): 50271D7CD98632B74ABC894310D34244

  Certificate Usage: Signature

  Issuer:

    cn=exchange2010

    dc=exchange2010

    dc=com

  Subject:

    cn=exchange2010

    dc=exchange2010

    dc=com

  CRL Distribution Points:

    ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

    http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl

  Validity Date:

    start date: 01:45:14 UTC Oct 24 2012

    end   date: 01:54:43 UTC Oct 24 2019

  Subject Key Info:

    Public Key Algorithm: rsaEncryption

    RSA Public Key: (2048 bit)

  Signature Algorithm: SHA1 with RSA Encryption

  Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11

  Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9

  X509v3 extensions:

    X509v3 Key Usage: 86000000

      Digital Signature

      Key Cert Sign

      CRL Signature

    X509v3 Subject Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550

    X509v3 Basic Constraints:

        CA: TRUE

    Authority Info Access:

  Associated Trustpoints: exchange2010

c3845#

Graham Bartlett
Cisco Employee

Hi

here's an example of the config for a flex site-site using PKI that was enrolled to a MS CA (using EC not RSA). If you need RSA then you would use the following instead of ec that I used.

crypto ikev2 profile default

authentication local rsa

authentication remote rsa

<<>>

crypto pki trustpoint ecdh

enrollment terminal

revocation-check none

crypto pki certificate map certmap 10

subject-name co cisco.com

crypto ikev2 profile default

match certificate certmap

identity local dn

authentication remote ecdsa-sig

authentication local ecdsa-sig

pki trustpoint ecdh

aaa authorization group cert list default default

!

!

!

crypto ipsec transform-set ESP_GCM esp-gcm

mode transport

!

crypto ipsec profile default

set security-association lifetime seconds 200

set transform-set ESP_GCM

set pfs group5

set ikev2-profile default

interface Tunnel0

ip address 172.16.1.1 255.255.255.0

tunnel source Ethernet0/0

tunnel destination 10.10.10.2

tunnel protection ipsec profile default

Router1#sh crypto ikev2 sa

IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         10.10.10.1/500        10.10.10.2/500        none/none            READY

      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:24, Auth sign: ECDSA, Auth verify: ECDSA

      Life/Active Time: 86400/109 sec

IPv6 Crypto IKEv2  SA

Router1#sh crypto pki certificates

Certificate

  Status: Available

  Certificate Serial Number (hex): 6156E3D5000000000009

  Certificate Usage: Signature

  Issuer:

    cn=test2-WIN-H6ISUHVJM76-CA

    dc=test2

    dc=com

  Subject:

    Name: Router1.cisco.com

    hostname=Router1.cisco.com

  CRL Distribution Points:

    ldap:///CN=test2-WIN-H6ISUHVJM76-CA,CN=WIN-H6ISUHVJM76,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=test2,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Validity Date:

    start date: 14:18:51 JST Jul 5 2012

    end   date: 14:18:51 JST Jul 5 2014

  Associated Trustpoints: ecdh

  Storage: nvram:test2-WIN-H6#9.cer

CA Certificate

  Status: Available

  Certificate Serial Number (hex): 780887F0CDD97E9E49DB893FA5D74238

  Certificate Usage: Signature

  Issuer:

    cn=test2-WIN-H6ISUHVJM76-CA

    dc=test2

    dc=com

  Subject:

    cn=test2-WIN-H6ISUHVJM76-CA

    dc=test2

    dc=com

  Validity Date:

    start date: 12:19:50 JST Jul 5 2012

    end   date: 12:29:49 JST Jul 5 2017

  Associated Trustpoints: ecdh

  Storage: nvram:test2-WIN-H6#4238CA.cer

Thank you!  We'll try to construct our tunnel based on this.  I'll post back with results.