Cisco Labs – Network Security (7) – Site to site VPN using CA on Router


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul5 5.2.6 IOS task definition

Site to site VPN using CA on Router

Goal

  • Certification authority will be running on Router3 which will also pass only needed traffic.
  • Site to site VPN tunnel using Certification authority will be initialized on Router.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

3 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-5.2.6_IOS_topology1_VIRTLAB

Configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

Routers

First of all certification authority and NTP server must be run.

1) NTP + Clock + hostnames + domain:

NTP server.

router#clock set 0:00:00 9 MAR 2008							;set clock and date
router(config)#hostname CA-Router3							;set hostname
CA-Router3(config)#ntp master								;set this router as NTP server
CA-Router3(config)#ip domain-name test							;set domain name

NTP clients.

Router1(config)#ntp server 172.16.1.2							;set NTP server to CA-Router3 ip address
Router1(config)#ip domain-name test
Router2(config)#ntp server 172.16.1.2
Router2(config)#ip domain-name test

2) interface settings + OSPF:

Router1(config)#interface INT1
Router1(config-if)#ip address 192.168.0.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config)#interface INT2
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config)#router ospf 1
Router1(rout)#network 192.168.0.0 0.0.0.255 area 0
Router1(rout)#network 1972.16.0.0 0.0.0.255 area 0
Router2(config)#interface INT4
Router2(config-if)#ip address 10.0.0.1 255.255.255.0
Router2(config-if)#no shutdown
Router2(config)#interface INT3
Router2(config-if)#ip address 172.16.0.1 255.255.255.0
Router2(config-if)#no shutdown
Router2(config)#router ospf 1
Router2(rout)#network 10.0.0.0 0.0.0.255 area 0
Router2(rout)#network 172.16.0.0 0.0.0.255 area 0
CA-Router3(config)#interface INT5				
CA-Router3(config-if)#ip address 172.16.1.2 255.255.255.0
CA-Router3(config-if)#no shutdown
CA-Router3(config)#interface INT6
CA-Router3(config-if)#ip address 172.16.0.2 255.255.255.0
CA-Router3(config-if)#no shutdown
CA-Router3(config)#router ospf 1
CA-Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
CA-Router3(rout)#network 172.16.0.0 0.0.0.255 area 0

3) Access list on Router3 to enable only needed traffic:

CA-Router3(config)#access-list 101 permit ospf any any
CA-Router3(config)#access-list 101 permit icmp any 172.16.0.0 255.255.255.0
CA-Router3(config)#access-list 101 permit icmp any 172.16.1.0 255.255.255.0
CA-Router3(config)#access-list 101 permit tcp any host 172.16.1.2 eq www
CA-Router3(config)#access-list 101 permit udp any host 172.16.1.2 eq ntp
CA-Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1
CA-Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp

CA-Router3(config)#access-list 102 permit ospf any any
CA-Router3(config)#access-list 102 permit icmp any 172.16.0.0 255.255.255.0
CA-Router3(config)#access-list 102 permit icmp any 172.16.1.0 255.255.255.0
CA-Router3(config)#access-list 102 permit tcp any host 172.16.1.2 eq www
CA-Router3(config)#access-list 102 permit udp any host 172.16.1.2 eq ntp
CA-Router3(config)#access-list 102 permit esp host 172.16.0.1 host 172.16.1.1
CA-Router3(config)#access-list 102 permit udp host 172.16.0.1 host 172.16.1.1 eq isakmp

CA-Router3(config)#interface INT5
CA-Router3(config-if)#ip access-group 101 in
CA-Router3(config)#interface INT6
CA-Router3(config-if)#ip access-group 102 in

4) CA server + CA requests:

CA-Router3(config)#crypto key generate rsa general-keys label KEYPLABEL exportable	;generate exportable RSA keys for CA. (recommended 1024 bits key)
											;If this command could not be inserted. CA is not supported by router 
CA-Router3(config)#crypto key export rsa KEYPLABEL pem url nvram: 3des KEYPHESLO	;export CA private and public key to NVRAM
											;require to add filenames if not confirmed default name
CA-Router3(config)#ip http server							;enable http server (certificates are requested thru http)
CA-Router3(config)#crypto pki server CASERVER						;create CA instance on a router
CA-Router3(cs-server)#Issuer-name CN=Issuername C=country				;set up parameters for CA certificate
CA-Router3(cs-server)#lifetime ca-certificate 20					;lifetime in days for CA certificate
CA-Router3(cs-server)#lifetime certificate 20						;lifetime in days for client certificate
CA-Router3(cs-server)#cdp-url http://cdp-list-url-address. 				;link to web with CRL list
CA-Router3(cs-server)#grant auto							;reply and grant enrollment request automatically
CA-Router3(cs-server)#no shutdown							;turn on CA
											;you must insert password to protect CA private key after this line

Before continue with configuration turn on debugging to see certification requests – this is done in Function test section.

Router1(config)#crypto key generate rsa							;generate RSA usage-keys
Router1(config)#crypto ca trustpoint CASERVER						;link to CA server for SCEP
											;use "crypto ca trustpoint CASERVER" on some IOS versions
Router1(ca-trustpoint)#enrollment url http://172.16.1.2					;URL thru which certificates will be enrolled
Router1(ca-trustpoint)#revocation-check none						;set, that link for CRL list is not mandatory
											;use "crl optional" for some IOS version
Router1(config)#crypto ca authenticate CASERVER						;get and authenticate CA certificate - you must manually check public fingerprint
Router1(config)#crypto ca enroll CASERVER						;get client certificate from CA after it is authenticated
*Router1(config)#crypto ca certificate query 						;this optional command can store client certificates on CA, not FLASH
Router2(config)#crypto key generate rsa							
Router2(config)#crypto ca identity CASERVER 						;link to CA server for SCEP
											;use "crypto ca trustpoint CASERVER" on some IOS versions          
Router2(ca-trustpoint)#enrollment url http://172.16.1.2					;URL thru which certificates will be enrolled
Router2(ca-trustpoint)#revocation-check none						;set, that link for CRL list is not mandatory
											;use "crl optional" for some IOS version
Router2(config)#crypto ca authenticate CASERVER						;request CA certificate - you must manually check public fingerprint
Router2(config)#crypto ca enroll CASERVER						;request client certificate from CA
*Router2(config)#crypto ca certificate query 						;this optional command can store client certificates on CA, not FLASH

5a) VPN tunnel settings phase 1 IKE/ISAKMP:

Policy must be the same on both ends of tunnel (priority could be different)

Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#hash md5 
Router1(config-isakmp)#group 1
Router1(config-isakmp)#authentication rsa-sig						;define authentication thru RSA signatures (using certificates) 
Router1(config-isakmp)#lifetime 200
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encryption 3des
Router2(config-isakmp)#hash md5 
Router2(config-isakmp)#group 1
Router2(config-isakmp)#authentication rsa-sig 						;define authentication thru RSA signatures (using certificates)
Router2(config-isakmp)#lifetime 200

5b) VPN tunnel settings phase 2 IPSEC:

Router1(config)#crypto ipsec transform-set TRSETRouter1 esp-des esp-md5-hmac 

Router1(config)#access-list 111 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

Router1(config)#crypto map LOKALNIMAPARouter1 10 ipsec-isakmp 
Router1(config-crypto-map)#match address 111
Router1(config-crypto-map)#set transform-set TRSETRouter1
Router1(config-crypto-map)#set peer 172.16.0.1

Router1(config)#interface INT2
Router1(config-if)#crypto map LOKALNIMAPARouter1

Apply analogical settings to other side of the tunnel.

Router2(config)#crypto ipsec transform-set TRSETRouter2 esp-des esp-md5-hmac 

Router2(config)#access-list 111 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 
Router2(config)#crypto map LOKALNIMAPARouter2 10 ipsec-isakmp 
Router2(config-crypto-map)#match address 111
Router2(config-crypto-map)#set transform-set TRSETRouter2
Router2(config-crypto-map)#set peer 172.16.1.1

Router2(config)#interface INT3
Router2(config-if)#crypto map LOKALNIMAPARouter2

Function test

F1)Turn on debug

On CA to see enrollment requests and key exchanges

CA-Router3#debug crypto pki server
CA-Router3#debug crypto pki validation
CA-Router3#debug crypto pki messages 

Picture shows result of these commands.

NS2-5.2.6_IOS_DIA1-1

NS2-5.2.6_IOS_DIA1-2

On router to see tunnel status and CA client status

Router1#debug crypto pki transactions

Picture shows result of this command.

NS2-5.2.6_IOS_DIA1-3

Router1#debug crypto ipsec
Router1#debug crypto isakmp
Router1#debug crypto ?										;show other debug possibilities

Picture shows deleted tunnel debug.

NS2-5.2.6_IOS_DIA1-4

F2)initialize tunnel

Ping from LAN 1 to LAN 2 should initialize VPN tunnel and hosts on LAN2 should be accessible.

Use ping 10.0.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

F3)Check statuses

CA

CA-Router3#sh crypto ca trustpoint status					     ;show CA hash keys
CA-Router3#sh crypto ca certificate NAME verbose				     ;show CA certificate

Picture shows enrollment communication.

NS2-5.2.6_IOS_DIA2-1

On router to see tunnel status

Router1#sh crypto ipsec sa
Router1#sh ntp stat							 	 	 ;show NTP connection statistics
Router1#sh crypto pubkey-chain rsa							 ;show public keys on router

Pictures show tunnel parameters.

NS2-5.2.6_IOS_DIA2-2

NS2-5.2.6_IOS_DIA2-3

Picture shows NTP statistics.

NS2-5.2.6_IOS_DIA2-4

Picture shows keys on router.

NS2-5.2.6_IOS_DIA2-5

check IKE/IPSEC router configuration

Router1#sh crypto isakmp policy								;display first part of tunnel configuration. 
Router1#sh crypto ipsec sa								;display send/receive packet statistics

F4)delete tunnel

Router1#clear crypto isakmp								;clear tunnel initialisation configuration
Router1#clear crypto sa									;clear existing tunnels

F5)reinitialize tunnel from other side

Use ping 192.168.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

If SPI is mismatched, please refer to exercise 4.4.7, where this command is refferenced further: crypto isakmp invalid-spi-recovery .

Optional tasks

Delete certificates and request new ones

delete client certidicates and RSA keys and request new ones

Router1#crypto key zeroize rsa
Router1(config)#crypto key generate rsa
Router1(config)#no crypto ca trustpoint CASERVER					;disable trustpoint configuration

follow point 4 to request certificate from CA again

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list to define which traffic have to be encrypted.
  • New or existing transform set must be added to new crypto map section.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s