© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Internet Security CSCE 813 IPsec
Building IPSEC VPNS Using Cisco Routers
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
RE © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Chapter 8: Implementing Virtual Private Networks
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
406 NW’98 1 © 1998, Cisco Systems, Inc. IPSec Loss of Privacy Security Threats Impersonation Loss of Integrity Denial of Service m-y-p-a-s-s-w-o-r-d.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
CSCE 715: Network Systems Security
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.
User Access to Router Securing Access.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8: Implementing Virtual Private Networks
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Eight Implementing Virtual Private Networks.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
Virtual Private Network Configuration
Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Module 4: Configuring Site to Site VPN with Pre-shared keys
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter 5 Network Security Protocols in Practice Part I
SECURING NETWORK TRAFFIC WITH IPSEC
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter Eight Implementing Virtual Private Networks
Presentation transcript:

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—6-2 Module 6 Router Site-to-site VPN

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-3 Learning Objectives Upon completion of this chapter, the student will be able to perform the following tasks: Configure a Cisco router for IKE using pre-shared keys. Configure a Cisco router for IPSec using pre-shared keys. Verify the IKE and IPSec configuration. Explain the issues regarding configuring IPSec manually and using RSA encrypted nonces.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-4 Learning Objectives Upon completion of this chapter, the student will be able to complete the following tasks: Identify the CA vendor products that support Cisco VPN products. Configure a Cisco router for CA support. Configure a Cisco router for IKE using RSA signatures. Configure a Cisco router for IPSec using RSA signatures. Verify the IKE and IPSec configuration.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-5 Overview This module primarily covers the Virtual Private Network (VPN) protocols available in Cisco IOS routers. A VPN provides the same network connectivity for remote users over a public infrastructure, as they would have over a private network. However, before allowing a user to access a network, certain measures must be taken to ensure authenticity, data integrity, and encryption. In this module, the student will learn about each of these measures and also will be provided with an introduction to the two basic VPN types: Remote Access and LAN-to- LAN. This module will focus on LAN-to-LAN (or site-to- site) VPN.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-6 Key terms VPN GRE L2TP IPSec Digital Certificates Hash Encryption

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-7 Virtual Private Networks

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-8 VPN Definition Virtual private network (VPN)—an encrypted connection between private networks over a public network such as the Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-9 Cisco’s VPN Portfolio Summary

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-10 Remote Access VPNs

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-11 Site-to-Site VPNs Site-to-Site VPN—Extension of classic WAN

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-12 Site-to-Site VPNs—Cisco Routers

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-13 VPN Technology Options

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-14 GRE

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-15 IOS Cryptosystem

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-16 Diffie-Hellman (DH) Key Exchange Protocol Messages Terry Alex public key A + private key B shared secret key (BA) Internet Pay to Terry Smith $ One Hundred and xx/100 Dollars Protocol Messages public key B + private key A shared secret key (AB) = 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Key Data Traffic Pay to Terry Smith $ One Hundred and xx/100 Dollars Data Traffic Decrypt

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— Generate large integer p. Send p to Peer B. Receive q. Generate g. 2. Generate private key X A 5. Generate shared secret number ZZ = Y B ^ X A mod p 2. Generate private key X B 3. Generate public key Y A = g ^ X A mod p 3. Generate public key Y B = g ^ X B mod p 4. Send public key Y A 4. Send public key Y B 5. Generate shared secret number ZZ = Y A ^ X B mod p 6. Generate shared secret key from ZZ (56-bit for DES, 168-bit for 3DES) Peer BPeer A 1. Generate large integer q. Send q to Peer A. Receive p. Generate g. Diffie-Hellman Key Exchange

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-18 RSA Encryption Key Remote’s public key Remote’s private key KJklzeAidJfdlwiej47 DlItfd578MNSbXoE Local Remote Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars DecryptEncrypt

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-19 Pay to Terry Smith $ One Hundred and xx/100 Dollars Encryption Algorithms Encryption algorithms DES 3DES AES Key Encryption key Decryption key Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR Decrypt Encrypt

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-20 Data Integrity Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Alex Jones $ One Thousand and xx/100 Dollars Yes, I am Alex Jones 4ehIDx67NMop9 12ehqPx67NMoX Match = No changes No match = Alterations Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-21 Hashed Message Authentication Codes (HMAC) Received message Hash function 4ehIDx67NMop9 Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 Message + hash Shared secret key Variable-length input message Shared secret key Hash function 4ehIDx67NMop9 Pay to Terry Smith $ One Hundred and xx/100 Dollars LocalRemote 12

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-22 Hash function Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 HMAC Algorithms HMAC algorithms HMAC-MD5 HMAC-SHA-1

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-23 Internet Digital Signatures Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 Hash algorithm Hash algorithm Encryption algorithm Encryption algorithm Hash Decryption algorithm Decryption algorithm Hash Private key Public key Local Remote Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 Hash Match

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-24 IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-25 What Is IPSec? IPSec acts at the network layer protecting and authenticating IP packets –Framework of open standards - algorithm independent –Provides data confidentiality, data integrity, and origin authentication Perimeter router Main site PIX Firewall VPN Concentrator SOHO with a Cisco ISDN/DSL router POP Mobile worker with a Cisco VPN Client on a laptop computer Business partner with a Cisco router Regional office with a PIX Firewall IPSec Corporate

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-26 IPSec Security Services Confidentiality Data integrity Origin authentication Anti-replay protection

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-27 Confidentiality (Encryption) This quarterly report does not look so good. Hmmm.... Earnings off by 15% Internet Server

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-28 Peer Authentication Peer authentication methods: Pre-shared keys RSA signatures RSA encrypted nonces HR servers Peer authentication Remote office Corporate Office Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-29 Pre-Shared Keys Authenticating hash (Hash_I) + ID Information Local Peer Remote Router Hash Computed hash (Hash) Hash Received hash (Hash_I) = Auth. Key + ID Information Auth. Key Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-30 RSA Signatures Encryption algorithm Encryption algorithm Hash_I Decryption algorithm Decryption algorithm Hash_I Private key Public key Local Remote Hash = + ID Information Hash Auth. key Digital signature Digital signature + ID Information Hash Auth. key 12 Digital cert + Digital cert Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-31 RSA Encrypted Nonces Authenticating hash (Hash_I) + ID Information Local Peer Remote Router Hash Computed hash (Hash_I) Hash Received hash (Hash_I) = Auth. key + ID Information Auth. key Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-32 IPSec Security Protocols

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-33 Modes of Use—Tunnel versus Transport Mode

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-34 Modes of Use—Tunnel versus Transport Mode IP HDR Encrypted ESP HDR Data IP HDRData ESP HDR IP HDRNew IP HDR Data Tunnel mode Transport mode ESP Trailer ESP Auth ESP Trailer ESP Auth Authenticated Encrypted Authenticated

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-35 Tunnel Mode HR servers Tunnel mode Remote office Corporate office HR servers Tunnel mode Corporate office Home office Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-36 IPSec Protocol—Framework MD5 SHA IPSec Framework DES 3 DES DH2DH1ESP +AH IPSec Protocol Encryption Diffie - Hellman Authentication Choices :

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-37 Five Steps of IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-38 Step 1—Interesting Traffic Host AHost B Router ARouter B Apply IPSec Bypass IPSec Discard

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-39 Step 2—IKE Phase 1 Host AHost B Router ARouter B IKE Phase 1: main mode exchange Negotiate the policy Diffie-Hellman exchange Verify the peer identity Negotiate the policy Diffie-Hellman exchange Verify the peer identity

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-40 IKE Transform Sets Transform 15 DES MD5 pre-share DH1 lifetime Transform 10 DES MD5 pre-share DH1 lifetime IKE Policy Sets Transform 20 3DES SHA pre-share DH1 lifetime Host AHost B Router ARouter B Negotiate IKE Proposals Negotiates matching IKE transform sets to protect IKE exchange

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-41 Internet Diffie-Hellman Key Exchange Terry Alex public key A + private key B shared secret key (BA) Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars public key B + private key A shared secret key (AB) = 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Key DecryptEncrypt

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-42 Authenticate Peer Identity Peer authentication methods Pre-shared keys RSA signatures RSA encrypted nonces HR servers Peer authentication Remote office Corporate office Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-43 Step 3—IKE Phase 2 Host AHost B Router ARouter B Negotiate IPSec security parameters

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-44 IPSec Transform Sets A transform set is a combination of algorithms and protocols that enact a security policy for traffic. Transform set 55 ESP 3DES SHA Tunnel Lifetime Transform set 30 ESP 3DES SHA Tunnel Lifetime IPSec Transform Sets Transform set 40 ESP DES MD5 Tunnel Lifetime Host AHost B Router ARouter B Negotiate transform sets

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-45 Security Association

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-46 Security Association Lifetime Data-based Time-based

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-47 Step 4—IPSec Session SAs are exchanged between peers. The negotiated security services are applied to the traffic. Host AHost B Router ARouter B IPSec session

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-48 Step 5—Tunnel Termination A tunnel is terminated –By an SA lifetime timeout –If the packet counter is exceeded Removes IPSec SA Host AHost B Router ARouter B IPSec tunnel

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-49 Site-to-Site VPN using Pre-shared Keys

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-50 Task 1—Prepare for IKE and IPSec. Task 2—Configure IKE. Task 3—Configure IPSec. Task 4—Test and Verify IPSec. Tasks to Configure IPSec Encryption

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-51 Task 1—Prepare for IKE and IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-52 Task 1—Prepare for IKE and IPSec Step 1—Determine IKE (IKE phase one) policy. Step 2—Determine IPSec (IKE phase two) policy. Step 3—Check the current configuration. show running-configuration show crypto isakmp policy show crypto map Step 4—Ensure the network works without encryption. ping Step 5—Ensure access lists are compatible with IPSec. show access-lists

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-53 Determine the following policy details:  Key distribution method  Authentication method  IPSec peer IP addresses and hostnames  IKE phase 1 policies for all peers  Encryption algorithm  Hash algorithm  IKE SA lifetime Goal: Minimize misconfiguration. Step 1—Determine IKE (IKE Phase One) Policy

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-54 IKE Phase One Policy Parameters IKE SA Lifetime Authentication Method Encryption Algorithm Hash Algorithm Strong seconds DES MD5 Stronger 3-DES SHA-1 Pre-share Parameter D-H Group 1Key Exchange RSA Encryption RSA Signature D-H Group 2 <86400 seconds

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-55 IKE Policy Example E0/ Site 1Site 2 E0/ A B Internet RouterA RouterB IKE SA Lifetime Authentication Method Encryption Algorithm Hash Algorithm Site seconds DES MD5 Site 2 DES MD5 Pre-shared keys Parameter 768-bit D-HKey Exchange 768-bit D-H seconds Pre-shared keys Peer IP Address

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-56 Determine the following policy details:  IPSec algorithms and parameters for optimal security and performance  Transforms and, if necessary, transform sets  IPSec peer details  IP address and applications of hosts to be protected  Manual or IKE-initiated SAs Goal: Minimize misconfiguration. Step 2—Determine IPSec (IKE Phase Two) Policy

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-57 RouterA(config)# crypto ipsec transform-set transform-set-name ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-null ESP transform w/o cipher Cisco IOS software supports the following IPSec transforms: IPSec Transforms Supported in Cisco IOS Software

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-58 IPSec Policy Example Peer IP address Traffic (packet) type to be encrypted Site 1 TCP Site 2 TCP Transform setESP-DES, Tunnel SA establishment Policy ipsec-isakmp Peer hostnameRouterBRouterA Hosts to be encrypted E0/ Site 1Site 2 E0/ A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-59 Identify IPSec Peers Cisco router Remote user with Cisco VPN Client Other vendor’s IPSec peers Cisco router Cisco PIX Firewall CA server

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-60 Step 3—Check Current Configuration show crypto isakmp policy View default and any configured IKE phase one policies. RouterA# show crypto isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: seconds, no volume limit router# show running-config View router configuration for existing IPSec policies. router# Site 1Site A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-61 Step 3—Check Current Configuration (cont.) show crypto map View any configured crypto maps. router# RouterA# show crypto map Crypto Map "mymap" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ mine, } Site 1Site A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-62 Step 3—Check Current Configuration (cont.) show crypto ipsec transform-set View any configured transform sets. router# RouterA# show crypto ipsec transform-set mine Transform set mine: { esp-des } will negotiate = { Tunnel, }, Site 1Site 2 A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-63 Step 4—Ensure the Network Works RouterA# ping Cisco router Remote user with Cisco Unified VPN client Other vendor’s IPSec peers Cisco RouterB Cisco PIX Firewall CA server Cisco RouterA

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-64 Step 5—Ensure Access Lists are Compatible with IPSec RouterA# show access-lists access-list 102 permit ahp host host access-list 102 permit esp host host access-list 102 permit udp host host eq isakmp IKE AH ESP Ensure protocols 50 and 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec. E0/ Site 1Site 2 E0/ A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-65 Task 2—Configure IKE

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-66 Task 2—Configure IKE Step 1—Enable or disable IKE. crypto isakmp enable Step 2—Create IKE policies. crypto isakmp policy Step 3—Configure pre-shared keys. crypto isakmp key Step 4—Verify the IKE configuration. show crypto isakmp policy

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-67 Step 1—Enable or Disable IKE RouterA(config)# no crypto isakmp enable RouterA(config)# crypto isakmp enable Globally enables or disables IKE at your router. IKE is enabled by default. IKE is enabled globally for all interfaces at the router. Use the no form of the command to disable IKE. An ACL can be used to block IKE on a particular interface. router(config)# [no] crypto isakmp enable Site 1Site A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-68 Step 2—Create IKE Policies crypto isakmp policy priority Defines an IKE policy, which is a set of parameters used during IKE negotiation. Invokes the config-isakmp command mode. router(config)# RouterA(config)# crypto isakmp policy Site 1Site A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-69 Create IKE Policies with the crypto isakmp Command Defines the parameters within the IKE policy 110. crypto isakmp policy priority router(config)# Site 1Site A B Internet RouterA RouterB RouterA(config)# crypto isakmp policy 110 RouterA(config-isakmp)# authentication pre-share RouterA(config-isakmp)# encryption des RouterA(config-isakmp)# group 1 RouterA(config-isakmp)# hash md5 RouterA(config-isakmp)# lifetime Policy 110 DES MD5 Pre-Share Tunnel

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-70 IKE Policy Negotiation crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp policy 200 authentication rsa-sig hash sha crypto isakmp policy 300 authentication pre-share hash md5 The first two policies in each router can be successfully negotiated while the last one can not. RouterA(config)# RouterB(config)# crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp policy 200 authentication rsa-sig hash sha crypto isakmp policy 300 authentication rsa-sig hash md5 Site 1Site 2 A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-71 Step 3—Configure ISAKMP Identity router(config)# crypto isakmp identity {address | hostname} Defines whether ISAKMP identity is done by IP address or hostname. Use consistently across ISAKMP peers Site 1Site A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-72 Step 3—Configure Pre-Shared Keys RouterA(config)# crypto isakmp key cisco1234 address Assigns a keystring and the peer address. The peer’s IP address or host name can be used. router(config)# crypto isakmp key keystring address peer-address crypto isakmp key keystring hostname hostname router(config)# Pre-shared key Cisco1234 Site 1Site A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-73 Step 4—Verify the IKE Configuration RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Displays configured and default IKE policies. Site 1Site 2 A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-74 Task 3—Configure IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-75 Step 1—Configure transform set suites. crypto ipsec transform-set Step 2—Configure global IPSec SA lifetimes. crypto ipsec security-association lifetime Step 3—Create crypto access lists. access-list Task 3—Configure IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-76 Step 4—Create crypto maps. crypto map Step 5—Apply crypto maps to interfaces. interface serial0 crypto map Task 3—Configure IPSec (cont.)

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-77 Step 1—Configure Transform Set Suites

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-78 Configure Transform Sets crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] router(cfg-crypto-trans)# A transform set is a combination of IPSec transforms that enact a security policy for traffic. Sets are limited to up to one AH and up to two ESP transforms. router(config)# RouterA(config)# crypto ipsec transform-set mine des Site 1Site 2 A B Internet RouterA RouterB Mine esp-des Tunnel

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-79 Transform Set Negotiation Transform sets are negotiated during IKE phase two. transform-set 10 esp-3des tunnel transform-set 20 esp-des, esp-md5-hmac tunnel transform-set 30 esp-3des, esp-sha-hmac tunnel transform-set 40 esp-des tunnel transform-set 50 esp-des, ah-sha-hmac tunnel transform-set 60 esp-3des, esp-sha-hmac tunnel Match Site 1Site 2 A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-80 Step 2—Configure Global IPSec Security Association Lifetimes

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-81 The crypto ipsec security- association lifetime Command Configures global IPSec SA lifetime values used when negotiating IPSec security associations. IPSec SA lifetimes are negotiated during IKE phase two. Can optionally configure interface specific IPSec SA lifetimes in crypto maps. IPSec SA lifetimes in crypto maps override global IPSec SA lifetimes. crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes} router(config)# Site 1Site 2 A B Internet RouterA RouterB RouterA(config)# crypto ipsec security-association lifetime 86400

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-82 Global Security Association Lifetime Examples RouterA(config)# crypto ipsec security-association lifetime kilobytes When a security association expires, a new one is negotiated without interrupting the data flow. RouterA(config)# crypto ipsec security-association lifetime seconds 2700

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-83 Step 3—Create Crypto ACLs

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-84 Purpose of Crypto Access Lists Outbound—Indicate the data flow to be protected by IPSec. Inbound—filter out and discard traffic that should have been protected by IPSec. Encrypt Bypass (clear text) Discard (clear text) Outbound traffic Inbound traffic Permit Bypass Site 1 A Internet RouterA

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-85 Extended IP Access Lists for Crypto Access Lists access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log] router(config)# Define which IP traffic will be protected by crypto. Permit = encrypt / Deny = do not encrypt. RouterA(config)# access-list 110 permit tcp Site 1Site 2 A B Internet RouterA RouterB Encrypt

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-86 RouterA(config)# access-list 110 permit tcp RouterB(config)# access-list 101 permit tcp Configure Symmetrical Peer Crypto Access Lists E0/ Site 1Site 2 E0/ A B Internet RouterA RouterB You must configure mirror image ACLs.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-87 Step 4—Create Crypto Maps

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-88 Purpose of Crypto Maps Crypto maps pull together the various parts configured for IPSec, including Which traffic should be protected by IPSec. The granularity of the traffic to be protected by a set of SAs. Where IPSec-protected traffic should be sent. The local address to be used for the IPSec traffic. What IPSec type should be applied to this traffic. Whether SAs are established (manually or via IKE). Other parameters needed to define an IPSec SA.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-89 Crypto Map Parameters Crypto maps define the following: The access list to be used. Remote VPN peers. Transform-set to be used. Key management method. Security-association lifetimes. Crypto map Router interface Encrypted traffic Site 1Site 2 A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-90 crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] router(config)# Use a different sequence number for each peer. Multiple peers can be specified in a single crypto map for redundancy. One crypto map per interface Configure IPSec Crypto Maps Site 1Site 2 A B Internet RouterA RouterB RouterA(config)# crypto map mymap 110 ipsec-isakmp

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-91 Example Crypto Map Commands RouterA(config)# crypto map mymap 110 ipsec-isakmp RouterA(config-crypto-map)# match address 110 RouterA(config-crypto-map)# set peer RouterA(config-crypto-map)# set peer RouterA(config-crypto-map)# set pfs group1 RouterA(config-crypto-map)# set transform-set mine RouterA(config-crypto-map)# set security-association lifetime Multiple peers can be specified for redundancy. Site 1Site A B RouterA RouterB B RouterC Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-92 Step 5—Apply Crypto Maps to Interfaces

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-93 RouterA(config)# interface ethernet0/1 RouterA(config-if)# crypto map mymap Apply the crypto map to outgoing interface Activates the IPSec policy Applying Crypto Maps to Interfaces E0/ Site 1Site 2 E0/ A B Internet RouterA RouterB mymap router(config-if)# crypto map map-name

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-94 IPSec Configuration Examples RouterA# show running config crypto ipsec transform-set mine esp-des ! crypto map mymap 10 ipsec-isakmp set peer set transform-set mine match address 110 ! interface Ethernet 0/1 ip address no ip directed-broadcast crypto map mymap ! access-list 110 permit tcp E0/ Site 1Site 2 E0/ A B Internet RouterA RouterB RouterB# show running config crypto ipsec transform-set mine esp-des ! crypto map mymap 10 ipsec-isakmp set peer set transform-set mine match address 101 ! interface Ethernet 0/1 ip address no ip directed-broadcast crypto map mymap ! access-list 101 permit tcp

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-95 Task 4—Test and Verify IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-96 Task 4—Test and Verify IPSec Display your configured IKE policies. show crypto isakmp policy Display your configured transform sets. show crypto ipsec transform set Display the current state of your IPSec SAs. show crypto ipsec sa

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-97 Task 4—Test and Verify IPSec (cont.) Display your configured crypto maps. show crypto map Enable debug output for IPSec events. debug crypto ipsec Enable debug output for ISAKMP events. debug crypto isakmp

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-98 The show crypto isakmp policy Command show crypto isakmp policy RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Encryption Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit router# Site 1Site 2 A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-99 show crypto ipsec transform-set View the currently defined transform sets. RouterA# show crypto ipsec transform-set Transform set mine: { esp-des } will negotiate = { Tunnel, }, The show crypto ipsec transform-set Command router# E0/ Site 1Site 2 E0/ A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-100 The show crypto ipsec sa Command show crypto ipsec sa RouterA# show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: mymap, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C router# E0/ Site 1Site 2 E0/ A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-101 The show crypto map Command show crypto map View the currently configured crypto maps. RouterA# show crypto map Crypto Map "mymap" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ mine, } router# E0/ Site 1Site 2 E0/ A B Internet RouterA RouterB

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-102 debug crypto Commands debug crypto ipsec Displays debug messages about all IPSec actions. debug crypto isakmp Displays debug messages about all ISAKMP actions. router#

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-103 %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated! ISAKMP SA with the remote peer was not authenticated. %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed ISAKMP peers failed protection suite negotiation for ISAKMP. Crypto System Error Messages for ISAKMP

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-104 Overview of Configuring IPSec Manually

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-105 Setting Manual Keys with security-association Commands set security-association inbound|outbound ah spi hex-key-string set security-association inbound|outbound esp spi cipher hex-key-string [authenticator hex-key-string] Specifies inbound or outbound SA. Sets Security Parameter Index (SPI) for the SA. Sets manual AH and ESP keys: –ESP key length is 56 bits with DES, 168 with 3DES. –AH HMAC key length is 128 bits with MD5, 160 bits with SHA. SPIs should be reciprocal for IPsec peer. router(config-crypto-map)#

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-106 Overview of Configuring IPSec for RSA Encrypted Nonces

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-107 Tasks to Configure IPSec for RSA Encryption Task 1—Prepare for IPSec. Task 2—Configure RSA keys. Task 3—Configure IKE. Task 4—Configure IPSec. Task 5—Test and verify IPSec.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-108 Task 2—Configure RSA Keys Step 1—Plan for RSA keys. Step 2—Configure the router’s host name and domain name. hostname name ip domain-name name Step 3—Generate RSA keys. crypto key generate rsa usage keys

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-109 Task 2—Configure RSA Keys (cont.) Step 4—Enter peer RSA public keys. crypto key pubkey-chain crypto key pubkey-chain rsa addressed-key key address named-key key name key-string

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-110 Task 2—Configure RSA Keys (cont.) Step 5—Verify key configuration. show crypto key mypubkey rsa show crypto key pubkey-chain rsa Step 6—Manage RSA keys. crypto key zeroize rsa

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-111 Digital Certificates

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-112 Site-to-Site IPSec Using Digital Certificates

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-113 Configure CA Support Tasks Task 1—Prepare for IKE and IPSec Task 2—Configure CA support Task 3—Configure IKE Task 4—Configure IPSec Task 5—Test and verify IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-114 Task 1—Prepare for IKE and IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-115 Task 1—Prepare for IPSec Step 1—Plan for CA support. Step 2—Determine IKE (IKE phase one) policy. Step 3—Determine IPSec (IKE phase two) policy.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-116 Task 1—Prepare for IPSec (cont.) Step 4—Check the current configuration. show running-config show crypto isakmp policy show crypto map Step 5—Ensure the network works without encryption. ping Step 6—Ensure access lists are compatible with IPSec. show access-lists

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-117 Step 1—Plan for CA Support

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-118 Planning includes the following steps:  Determine the type of CA server used and the requirements of the CA server.  Identify the CA server’s IP address, host name, and URL.  Identify the CA server’s administrator contact information. Goal: Be ready for CA support configuration. Step 1—Plan for CA Support

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-119 Administrator contact IP address Type of CA server host name CA Server Win Parameter URL vpnca vpnca.cisco.com E0/ Site 1 Site 2 E0/ A B RouterARouterB CA vpnca Determine CA Server Details Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-120 Determine the following policy details:  Key distribution method  Authentication method  Identify IPSec peer IP addresses and host names  Identify IKE phase one policies for all peers  Encryption algorithm  Hash algorithm  IKE SA lifetime Goal: Minimize misconfiguration Step 2—Determine IKE (IKE Phase One) Policy

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-121 IKE Phase 1 Policy Parameters IKE SA Lifetime Authentication Method Encryption Algorithm Hash Algorithm Strong seconds DES MD5 Stronger 3-DES SHA-1 Pre-share Parameter D-H Group 1Key Exchange RSA Encryption RSA Signature D-H Group 2 <86400 seconds

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-122 IKE Policy Example E0/ Site 1Site 2 E0/ A B RouterA RouterB IKE SA Lifetime Authentication Method Encryption Algorithm Hash Algorithm Site seconds DES MD5 Site 2 DES MD5 RSA Signatures Parameter 768-bit D-HKey Exchange 768-bit D-H seconds RSA Signatures Peer IP Address Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-123 CA Support Overview

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-124 Cisco IOS CA Support Standards Cisco IOS supports the following CA components: Internet Key Exchange (IKE) Public-Key Cryptography Standard #7 (PKCS #7) Public-Key Cryptography Standard #10 (PKCS #10) RSA keys X.509v3 certificates CA interoperability

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-125 Simple Certificate Enrollment Protocol (SCEP) Cisco-sponsored IETF draft Lightweight protocol to support certificate life cycle operations on the PIX Firewall Uses PKCS #7 and #10 Transaction-oriented request and response protocol Transport mechanism independent Requires manual authentication during enrollment

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-126 CA Servers Interoperable with Cisco Routers See for the latest listing of supported CA servers.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-127 Enroll a Device with a CA Download CA/RA Cert Certificate Request Download ID Cert Generate ID Cert Generate Keys Authenticate CA/RA Request CA/RA Cert Verify ID Cert Configure CA Support Generate CA/RA Cert

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-128 Task 2—Configure CA Support

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-129 Cisco IOS CA Configuration Procedure Step 1—Manage the NVRAM memory usage (optional). Step 2—Set the router’s time and date. clock timezone clock set Step 3—Configure the router’s host name and domain name. hostname name ip domain-name name Step 4—Generate an RSA key pair. crypto key generate rsa usage keys Step 5—Declare a CA. crypto ca trustpoint name

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-130 Cisco IOS CA Configuration Procedure (cont.) Step 6—Authenticate the CA. crypto ca authenticate name Step 7—Request your own certificate. crypto ca enroll name Step 8—Save the configuration copy running-config startup-config Step 9—Monitor and maintain CA interoperability (optional). crypto ca trustpoint name Step 10—Verify the CA support configuration. show crypto ca certificates show crypto key mypubkey | pubkey-chain

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-131 Step 1—Manage NVRAM Memory Usage (Optional) Types of certificates stored on a router –The router’s own identity certificate –The CA’s root certificate –RA certificate(s) (CA vendor specific) The number of CRLs stored on a router –One if the CA does not support an RA –Multiple CRL if the CA supports an RA

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-132 Step 2—Set the Router’s Time and Date router(config)# clock set hh:mm:ss day month year clock set hh:mm:ss month day year Sets the router’s time and date clock timezone zone hours [minutes] Sets the router’s timezone and offset from UTC RouterA(config)# clock timezone cst -5 RouterA# clock set 23:59:59 31 december 2001 router#

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-133 Step 3—Add CA Server Entry to Router Host Table router(config)# ip domain-name name Specifies a unique domain name for the router hostname name Specifies a unique name for the router router(config)# hostname RouterA RouterA(config)# ip domain-name xyz.com router(config)# Site 1 Site A B RouterARouterB CA Internet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-134 Step 3—Add CA Server Entry to Router Host Table (cont.) Defines a static host name-to-address mapping for the CA server This step is necessary if the domain name is not resolvable router(config)# ip host name address1 [address2...address8] RouterA(config)# ip host vpnca Site 1 Site RouterARouterB CA vpnca Internet A B

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-135 router(config)# crypto key generate rsa usage-keys Using the keyword usage-keys generates two sets of RSA keys: –Use one key set for RSA signatures. –Use one key set for RSA encrypted nonces. RouterA(config)# crypto key generate rsa usage-keys Step 4—Generate an RSA Key Pair Site 1 Site RouterARouterB CA Internet A B

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-136 Step 4—Generate RSA Keys (Example Output) RouterA(config)# crypto key generate rsa The name for the keys will be: router.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 512 Generating RSA keys... [OK] RouterA# show crypto key mypubkey rsa % Key pair was generated at: 23:58:59 UTC Dec Key name: RouterA.cisco.com Usage: General Purpose Key Key Data: 305C300D 06092A F70D B A9443B 62FDACFB CCDB AE1CD8 95B EDD30D D6 4636E015 4D7C6F33 4DC1F6E0 C929A25E A F4 E98BF920 6A81CE57 28A21116 E

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-137 router(config)# crypto ca trustpoint name Specifies the desired CA server name Puts you in the ca-trustpoint configuration mode RouterA(config)# crypto ca trustpoint vpnca RouterA(ca-trustpoint)# Step 5—Declare a Certification Authority Site 1 Site RouterARouterB CA vpnca Internet A B

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-138 Step 5—Commands to Declare a Certification Authority RouterA(config)# crypto ca trustpoint vpnca RouterA(ca-trustpoint)# ? ca trustpoint configuration commands: crl CRL option default Set a command to its defaults enrollment Enrollment parameters exit Exit from certificate authority identity entry mode no Negate a command or set its defaults query Query parameters RouterA(ca-trustpoint)# enrollment ? http-proxy HTTP proxy server for enrollment mode ra Mode supported by the Certicicate Authority retry Polling parameters url CA server enrollment URL\

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-139 Step 5—Declare a Certification Authority (Example) RouterA(config)# crypto ca trustpoint vpnca RouterA(ca-trustpoint)# enrollment url RouterA(ca-trustpoint)# enrollment mode ra RouterA(ca-trustpoint)# exit Specifies the URL for the CA server This is the minimum configuration to declare a CA Site 1 Site RouterARouterB CA vpnca Internet A B

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-140 Step 6—Authenticate the Certification Authority router(config)# crypto ca authenticate name RouterA(config)# crypto ca authenticate vpnca Manually authenticate the CA’s public key by contacting the CA administrator to compare the CA certificate’s fingerprint Site 1 Site RouterARouterB CA vpnca Get CA/RA Cert CA/RA Dnld CA/RA Fingerprint xxxx aaaa zzzz bbbb CA/RA Fingerprint xxxx aaaa zzzz bbbb Compare Internet A B

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-141 Step 7—Request Your Own Certificate RouterA(config)# crypto ca enroll vpnca Request signed ID certificate from CA/RA router(config)# crypto ca enroll name CA vpnca Enroll Request + password ID Cert Dnld Site 1 RouterA Site RouterB Internet A B

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-142 Step 8—Save the Configuration RouterA# copy running-config startup-config Saves the router’s running configuration to NVRAM Site 1 Site RouterARouterB CA vpnca Internet A B

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-143 Step 9—Monitor and Maintain CA Interoperability The following steps are optional, depending on your particular requirements: Request a CRL. Delete your router’s RSA keys. Delete certificates from the configuration. Delete the peer’s public keys.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-144 Step 10—Verify the CA Support Configuration show crypto ca certificates View any configured CA/RA certificates show crypto key mypubkey | pubkey-chain rsa View RSA keys for your router and other IPSec peers enrolled with a CA router# Site 1 Site RouterARouterB CA vpnca Internet A B

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-145 CA Support Configuration Example RouterA# show running-config ! hostname RouterA ! ip domain-name cisco.com ! crypto ca trustpoint mycaserver enrollment mode ra enrollment url query url ldap://vpnca crl optional crypto ca certificate chain entrust certificate 37C6EAD A C6EAD630 0D06092A F7 0D (certificates concatenated)

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-146 Task 3—Configure IKE

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-147 Task 3—Configure IKE Step 1—Enable or disable IKE: crypto isakmp enable Step 2—Create IKE policies: crypto isakmp policy Step 3—Set IKE identity: crypto isakmp identity Step 4—Test and verify IKE configuration: show crypto isakmp policy show crypto isakmp sa

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-148 Step 2—Create IKE Policies RouterA(config)# crypto isakmp policy 110 RouterA(config-isakmp)# authentication rsa-sig RouterA(config-isakmp)# encryption des RouterA(config-isakmp)# group 1 RouterA(config-isakmp)# hash md5 RouterA(config-isakmp)# lifetime Site 1 Site RouterARouterB CA vpnca Internet A B

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-149 Task 4—Configure IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-150 Step 1—Configure transform set suites. crypto ipsec transform-set Step 2—Configure global IPSec SA lifetime. crypto ipsec security-association lifetime Step 3—Create crypto access lists. access-list Steps to Complete Task 4—Configure IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-151 Step 4—Create crypto maps. crypto map Step 5—Apply crypto maps to interfaces. interface ethernet0/1 crypto map Task 4—Configure IPSec (cont.)

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-152 Task 5—Test and Verify IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-153 Completing Task 5—Test and Verify IPSec Display your configured IKE policies. show crypto isakmp policy Display your configured transform sets. show crypto ipsec transform set Display the current state of your IPSec SAs. show crypto ipsec sa

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-154 Completing Task 5—Test and Verify IPSec (cont.) Display your configured crypto maps. show crypto map Enable debug output for IPSec events. debug crypto ipsec Enable debug output for ISAKMP events. debug crypto isakmp

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-155 Completing Task 5—Test and Verify IPSec (cont.) Enable debug output for CA events. debug crypto key-exchange debug crypto pki {messages|transactions}

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-156 Summary

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-157 Summary Define the detailed crypto IKE and IPSec security policy before beginning configuration. Ensure router access lists permit IPSec traffic. IKE policies define the set of parameters used during IKE negotiation. Transform sets determine IPSec transform and mode. Crypto access lists determine traffic to be encrypted. Crypto maps pull together all IPSec details and are applied to interfaces. Use show and debug commands to test and troubleshoot. IPSec can also be configured manually or using encrypted nonces.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-158 Summary Define the detailed crypto CA, IKE, and IPSec security policy before beginning configuration. Ensure you can contact your CA administrator before beginning configuration. Configure CA details before configuring IKE. Manually verify the CA certificate with the CA administrator. Each CA server supported by Cisco IOS software has a slightly different configuration process. Use the RSA signatures authentication method for IKE when using CA support. The IPSec configuration process is the same as that used for pre-shared and RSA encrypted nonces authentication.

159 © 2003, Cisco Systems, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.