Site-to-Site VPN using PKI | Certificates for Authentication (CCIE Notes)

Posted on by Shoaib Merchant

The basic configuration of a Site-to-Site VPN in ASA remains the same except for a few commands. The previous post – Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server shows how to configure the ASA to enroll to a CA and retrieve certificates that can be used for authenticating peers in an IPsec/SSL VPN.

Below are the additional or non-standard commands that you usually do not see in a Site-to-Site VPN config using pre-shared-key for authentication.

Configuration:

crypto ikev1 policy 10
 authentication rsa-sig
!
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
 ikev1 trustpoint CISCO_CA
!
crypto map outside_map 10 set trustpoint CISCO_CA

Verification:

ASA-FW1# show crypto ikev1 sa detail 
IKEv1 SAs:
 Active SA: 1
 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.2.10
 Type : L2L Role : initiator 
 Rekey : no State : MM_ACTIVE 
 Encrypt : 3des Hash : MD5 
 Auth : rsa Lifetime: 86400
 Lifetime Remaining: 86128

Debugs:

Jun 26 19:56:01 [IKEv1]IP = 192.168.2.10, IKE Initiator: New Phase 1, Intf inside, IKE Peer 192.168.2.10 local Proxy Address 1.1.1.1, remote Proxy Address 5.5.5.5, Crypto map (outside_map)
!
Jun 26 19:56:02 [IKEv1 DECODE]Constructed Signature Len: 128
Jun 26 19:56:02 [IKEv1 DECODE]Constructed Signature:
0000: 205D3777 CEC0A301 C4FD880F 97821433 ]7w...........3
0010: F6C9A477 C05FC15F 87DC0642 2CD1E358 ...w._._...B,..X
0020: FB53CC3C AF931B91 0DA45AB0 EB3DE37A .S.<......Z..=.z
0030: 5FECA893 511F347B 07C96214 0B0B6D08 _...Q.4{..b...m.
0040: 367B09DD DF0901C3 6333C72A B97420F7 6{......c3.*.t .
0050: B2F3ED96 15C55FBA 599F0601 CEB022F1 ......_.Y.....".
0060: FD19D17B 746454F9 EC567FDC BA39A70E ...{tdT..V...9..
0070: 06B8DB3F 01D4CB76 7674D851 3419793E ...?...vvt.Q4.y>
!
Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
!
Jun 26 19:56:02 [IKEv1 DECODE]Dump of received Signature, len 128:
0000: 29D5A373 16A65012 E8A87327 1445DDE4 )..s..P...s'.E..
0010: 88A6A43C B70880F2 DF164433 E485D367 ...<......D3...g
0020: DF28A9AB 8E89BDF2 1CDA5803 3C322BE1 .(........X.<2+.
0030: ABB02B07 7579C106 EDF7C9AE 0D02730D ..+.uy........s.
0040: 3C6AD637 31FA9A46 33B1FDA8 CD22A045 <j.71..F3....".E
0050: 2A65D863 8AFE4748 F3DC5D76 A7C9BE83 *e.c..GH..]v....
0060: 1026D4B9 36570FC2 BCB98F67 96B5CBD2 .&..6W.....g....
0070: B8DC76A8 91378741 F64B9DFA 0508884F ..v..7.A.K.....O
!
Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Trying to find group via OU...
Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, No Group found by matching OU(s) from ID payload: Unknown
Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Trying to find group via IKE ID...
Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, No Group found by matching OU(s) from ID payload: Unknown
Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Trying to find group via IP ADDR...
Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Connection landed on tunnel_group 192.168.2.10
!
Jun 26 19:56:03 [IKEv1]Group = 192.168.2.10, IP = 192.168.2.10, PHASE 1 COMPLETED
!
Jun 26 19:56:03 [IKEv1]IP = 192.168.2.10, Keep-alive type for this connection: DPD
Jun 26 19:56:03 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, Starting P1 rekey timer: 73440 seconds.
Jun 26 19:56:03 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, IKE got SPI from key engine: SPI = 0x2cf83ef7
!
Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, constructing pfs ke payload
Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, constructing proxy ID
Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, Transmitting Proxy Id:
 Local host: 1.1.1.1 Protocol 0 Port 0
 Remote host: 5.5.5.5 Protocol 0 Port 0
!
Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, NP encrypt rule look up for crypto map outside_map 10 matching ACL crypto_acl_1: returned cs_id=bc1b6bd0; rule=bc4226a8
!
Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, Starting P2 rekey timer: 24479 seconds.
Jun 26 19:56:04 [IKEv1]Group = 192.168.2.10, IP = 192.168.2.10, PHASE 2 COMPLETED (msgid=23e666c4)

Notes:-

  • The signatures have been constructed and received.

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s