IOS Site-to-Site VPN using PKI (CCIE Notes)


This post is on the same lines as the previous one. The difference is in the configuration done on an ASA and an IOS device.

Configuration in IOS;

crypto pki trustpoint CISCO_CA
 enrollment url http://10.3.3.3:80
 usage ike
 subject-name CN=R1, C=IN
 ip-address 10.1.1.1
 fqdn R1.networkology.net
crypto pki authenticate CISCO_CA
crypto pki enroll CISCO_CA
!
crypto isakmp policy 10
 authetication rsa-sig
!
!
!(OPTIONAL config below)
!
!
crypto isakmp peer address 10.2.2.1
 set aggressive-mode client-endpoint fqdn r2.networkology.net 
!
!OR
!
crypto isakmp peer address 10.2.2.1
 set aggressive-mode client-endpoint ipv4-address 10.2.2.1

Notes:

  • NOT USING the ‘crypto isakmp peer’ command; It’s optional to use the ‘crypto isakmp peer’ statement. If this statement isn’t used, then the router uses IP as the client-endpoint and if IP isn’t found in the certificate, it uses the FQDN instead.
  • USING the ‘crypto isakmp peer’ command; you can either specify the client-endpoint as FQDN or IP address for a particular peer. Verify that either of the two is embedded in the certificate. Any way, FQDN is always present in the certificate even if not explicitly added because of the configured ‘hostname’ and ‘ip domain-name’. But IP address has to be manually added while creating a trustpoint and enrolling it to a CA.

General debug output;

Jun 27 22:17:06.643: ISAKMP:(1004): peer wants a CT_X509_SIGNATURE cert
Jun 27 22:17:06.643: ISAKMP:(1004): peer wants cert issued by cn=CISCO_CA
Jun 27 22:17:06.647: Choosing trustpoint CISCO_CA as issuer

Debug output when client-endpoint is configured with IP address but the certificate does not have an IP address in it (Even applies to the condition when the ‘crypto iskmp peer’ command isn’t used);

Jun 27 22:49:04.916: ISAKMP:(1007):My ID configured as IPv4 Addr, but Addr not in Cert!
Jun 27 22:49:04.916: ISAKMP:(1007):Using FQDN as My ID
Jun 27 22:49:04.916: ISAKMP:(1007):SA is doing RSA signature authentication using id type ID_FQDN
Jun 27 22:49:04.916: ISAKMP (1007): ID payload 
 next-payload : 6
 type : 2 
 FQDN name : R1.networkology.net 
 protocol : 17 
 port : 500 
 length : 27
!
Jun 27 22:49:05.232: ISAKMP (1007): received packet from 10.2.2.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 27 22:49:05.256: ISAKMP:(1007): processing ID payload. message ID = 0
Jun 27 22:49:05.260: ISAKMP (1007): ID payload 
 next-payload : 6
 type : 2 
 FQDN name : R2.networkology.net 
 protocol : 17 
 port : 500 
 length : 27

Debug output when client-endpoint is configured as IP address and the certificate does have an IP address in it;

Jun 27 22:54:32.913: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
Jun 27 22:54:32.913: ISAKMP (1008): ID payload 
 next-payload : 6
 type : 1 
 address : 10.1.1.1 
 protocol : 17 
 port : 500 
 length : 12
!
Jun 27 22:54:33.301: ISAKMP (1008): received packet from 10.2.2.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 27 22:54:33.321: ISAKMP:(1008): processing ID payload. message ID = 0
Jun 27 22:54:33.325: ISAKMP (1008): ID payload 
 next-payload : 6
 type : 1 
 address : 10.2.2.1 
 protocol : 17 
 port : 500 
 length : 12

Example of a certificate with IP address;

R1#show crypto pki certificates 
Certificate
 Status: Available
 Certificate Serial Number (hex): 10
 Certificate Usage: General Purpose
 Issuer: 
 cn=CISCO_CA
 Subject:
 Name: R1.networkology.net
 IP Address: 10.1.1.1
 ipaddress=10.1.1.1+hostname=R1.networkology.net
 cn=R1
 c=IN
 Validity Date: 
 start date: 23:11:33 UTC Jun 27 2013
 end date: 23:11:33 UTC Jun 27 2014
 Associated Trustpoints: CISCO_CA

Example of a certificate without IP address;

R2#show crypto pki certificates 
Certificate
 Status: Available
 Certificate Serial Number (hex): 05
 Certificate Usage: General Purpose
 Issuer: 
 cn=CISCO_CA
 Subject:
 Name: R2.networkology.net
 hostname=R2.networkology.net
 c=IN
 Validity Date: 
 start date: 19:27:54 UTC Jun 27 2013
 end date: 19:27:54 UTC Jun 27 2014
 Associated Trustpoints: CISCO_CA 
 Storage: nvram:CISCO_CA#5.cer

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s