05-08-2012 02:59 PM - edited 02-21-2020 06:03 PM
Hi,
I have to configure a VPN tunnel site to site with IPSec and CA certificate but when I try to paste the certificate the router give me an error.
I have two certificates of the other side of the IPSec tunnel.
I couldn't find a howto to implement this configuration.
Some one know some tutorial for a configuration like this?
Thanks.
05-08-2012 04:11 PM
Hi Carlos ,
what is the error you are seeing when pasting the certificate ? what are the steps you are using to enroll the router ?
you can check this :
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html
Hope that this helps .
Mohammad.
05-10-2012 07:25 AM
Hi Mohammad
Thanks for your reply. The problem with the certificate was that can't copy all the certificate at the same time. I had to copy line by line.
Now I have another issue. I create this:
Phase 1:
!
crypto isakmp policy 10
authentication rsa-sig
encr 3des
hash md5
group 2
!
But I don't know how assign the CA Certitifacte for this configuration.
I took a test in packettracert with pre-share keys and works fine but, how can I use rsa-sig?
Eg: crypto isakmp key "passwd123" address "192.168.0.2"
Phase 2:
crypto ipsec transform-set SET esp-3des esp-md5-hmac
05-10-2012 10:08 AM
Here is how to do it:
1- have a windows 2003 Server with iis installed,
2- install Certificate Authority (CA) service on the Windows 2003,
3- install microsoft SCEP,
4- Configure the Certificate Authority to issue certificate immediately.
on the router, do this:
1- assign a hostname,
2- assign domain-name
3- generate a crypto rsa key
4- the following commands on both routers:
crypto pki trustpoint cciesec
enrollment url http://ip-address-of-the-windows-2003:80/certsrv/mscep/mscep.dll
no revocation-check
exit
crypto pki authenticate cciesec
crypto pki enroll cciesec
now your routers can do IPSec with each other via certificates.
Easy right?
05-10-2012 10:22 AM
Thank David,
Could I not do that without Windows 2003 Server? I only know one part of the tunnel. The other side is configured with its digital certificates. I think it are the same that I have.
Could I not use the router as CA server?
I only have one Cisco 887 and 2 computers with XP. This not enough?
05-10-2012 10:35 AM
I have never had to use router as CA server but it can be done because the concept is the same. However, if you're going to use the router as a CA server, it has to be a dedicated router. The CA server can not be on the same router that terminates VPN. I could be wrong on that part but that how I remember it.
07-27-2013 02:49 PM
Carlos; you can use a router as a CA server, I hve a practice lab that I made that has something similar to what you are looking for. Instead of a site-to-site VPN my lab uses a GRE-over-IPSec tunnel.
Here is the network diagram and configs:
1. First configure all of the requirements (routing, interfaces, NTP, generating certificates, CA server, etc.)
- CA router -
hostname CA-RTR
!
ip domain name TEST
!
ntp master
!
ip ssh ver 2
!
crypto key generate rsa general-keys label CA-RTR modulus 2048 exportable
!
crypto key export rsa CA-RTR pem url nvram: 3des !Q@W#E$R5t
!
ip http server
!
crypto pki server CA-SVR
database url nvram:
issuer-name CN=CA-SVR.CA-RTR.TEST
lifetime ca-certificate 365
no shut
!
interface Loopback0
ip address 10.10.0.0 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.255.1 255.255.255.254
speed 100
full-duplex
no shut
!
interface FastEthernet0/1
ip address 192.168.255.2 255.255.255.254
speed 100
full-duplex
no shut
!
interface FastEthernet0/1
ip address 192.168.255.2 255.255.255.254
speed 100
full-duplex
no shut
!
end
- RTR1 -
hostname RTR1
!
ip domain name TEST
!
interface Loopback0
ip address 10.10.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.255.0 255.255.255.254
speed 100
duplex full
no shut
!
interface FastEthernet0/1
ip address 192.168.255.4 255.255.255.254
speed 100
duplex full
!
interface Tunnel0
ip address 172.16.255.0 255.255.255.254
keepalive 10 3
tunnel source 192.168.255.4
tunnel destination 192.168.255.5
!
ip route 0.0.0.0 0.0.0.0 192.168.255.1
!
ntp server 10.10.0.0
!
ip ssh ver 2
!
crypto key generate rsa modulus 2048
!
crypto pki trustpoint CA-SVR
enrollment url http://10.10.0.0:80
revocation-check none
!
crypto pki auth CA-SVR
!
crypto pki enroll CA-SVR
!
end
- RTR2 -
hostname RTR2
!
ip domain name TEST
!
interface Loopback0
ip address 10.10.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.255.3 255.255.255.254
speed 100
duplex full
no shut
!
interface FastEthernet0/1
ip address 192.168.255.5 255.255.255.254
speed 100
duplex full
no shut
!
interface Tunnel0
ip address 172.16.255.1 255.255.255.254
keepalive 10 3
tunnel source 192.168.255.5
tunnel destination 192.168.255.4
!
ip route 0.0.0.0 0.0.0.0 192.168.255.2
!
ntp server 10.10.0.0
!
ip ssh ver 2
!
crypto key generate rsa modulus 2048
!
crypto pki trustpoint CA-SVR
enrollment url http://10.10.0.0:80
revocation-check none
!
crypto pki auth CA-SVR
!
crypto pki enroll CA-SVR
!
end
2. After the CA server is running, finish configuring the remaining routers.
a. In a real network, before accepting a certificate from the CA server, you should make sure that the Fingerprint
MD5 certificate matches the one that is displayed on the CA-RTR after entering the following command:
show crypto pki server
b. On the CA-RTR view and grant the pending certifcates by entering the following commands:
crypto pki server CA-SVR info requests
crypto pki server CA-SVR info grant all
- RTR 1 -
ip access-list extended VPN-TRAFFIC
permit gre host 192.168.255.4 host 192.168.255.5
!
crypto ikev2 proposal PHASE-1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy VPN-POLICY
proposal PHASE-1
!
crypto ikev2 profile RTR1-RTR2-PROFILE
match identity remote fqdn RTR2.TEST
identity local fqdn RTR1.TEST
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA-SVR
!
crypto ipsec transform-set PHASE-2 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map VPN-MAPS 10 ipsec-isakmp
set peer 192.168.255.5
set transform-set PHASE-2
set ikev2-profile RTR1-RTR2-PROFILE
match address VPN-TRAFFIC
!
interface FastEthernet0/1
crypto map VPN-MAPS
!
end
- RTR2 -
ip access-list extended VPN-TRAFFIC
permit gre host 192.168.255.5 host 192.168.255.4
!
crypto ikev2 proposal PHASE-1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy VPN-POLICY
proposal PHASE-1
!
crypto ikev2 profile RTR2-RTR1-PROFILE
match identity remote fqdn RTR1.TEST
identity local fqdn RTR2.TEST
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA-SVR
!
crypto ipsec transform-set PHASE-2 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map VPN-MAPS 10 ipsec-isakmp
set peer 192.168.255.4
set transform-set PHASE-2
set ikev2-profile RTR2-RTR1-PROFILE
match address VPN-TRAFFIC
!
interface FastEthernet0/1
crypto map VPN-MAPS
!
end
-You can test the configuration by doing an extended ping from RTR1's loopback interface to RTR2's loopback interface:
ping 172.16.255.1 source 172.16.255.0
09-09-2013 08:39 AM
Hello jorgeramos78
Is it mandatory to copy the Cetificate from one router to another one ?
I tried your configuration on my 3800 routers but the router doesn't give to configure what is ikev2 ?
thanks
Roee
09-10-2013 07:39 AM
Sorry, but I don't work on security full-time so I am not 100% sure if it is mandatory to copy the certificate from router to router. The example that I posted was just a proof of concept.
Regarding IKEv2; I am not sure if 3800 series routers support it. The new integrated service router do support it, but you need to be using the correct IOS version and possibly purchase the appropriate license.
02-05-2014 05:21 PM
Hi David, Can u pls provide me the steps to configure CA & SCEP on Windows 2003 server. Also how to configure the Certificate Authority to issue certificate. Awaiting your reply.
07-26-2018 08:31 AM
I suspect the cert is not printable probable UTF8 string. Make sure your cert is a printable cert string you are putting on a cisco device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide