Configuring IPSec Manually

Okay, everyone, it’s reward time—you’ve made it, now celebrate! Seriously! That’s all there is to configuring IPSec utilizing pre-shared keys. You’re not completely done yet though, because next I’m going to show you how to configure IPSec without using IKE. If you’re on a roll, great— keep going! But at least get some more coffee or get up and stretch or something, because truthfully, you’re really only about halfway through this chapter!

Configuring IPSec Manually

If you configure IPSec manually, you don’t have to use IKE. But doing this means you’ll have to specify the inbound and outbound keys to use on each device for establishing the IPSec SA manually. And no doubt you remember me telling you that wasn’t such a great idea back in Chapter 7, “Understanding Cisco IOS IPSec Support,” for two reasons—it’s not as secure as using IKE, and it’s harder to scale.

It follows then that you don’t need to bother creating an IKE policy if you manually configure IPSec, right? Right, but you don’t get to skip any of the other steps that were laid out for configuring IPSec utilizing pre-shared keys, so don’t get too excited.

Anyway, other than having to give the inbound and outbound keys your personal attention, the main difference in configuring IPSec manually is how you create the crypto map. Let’s look at that now. While in global configuration mode, you’re going to create a manual crypto map sequence by entering the following command, where map-name is the name of the crypto map and seq-num is the sequence number of the crypto map sequence, a value between 1 and 65,535:

crypto map map-name seq-num ipsec-manual

All of the commands defined previously in Table 8.1 still apply to manual crypto map sequences, but there are four more mandatory commands that must be entered in crypto map configuration mode that are listed in Table 8.3.

262 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

T A B L E 8 . 3 Additional Commands for Manual Crypto Map Sequences

The outbound key of one device must be the same as the inbound key of the remote peer.

Configuring IPSec for RSA-Encrypted Nonces

RSA-encrypted nonces require you to perform two tasks: manually generate the public/private keys and then manually enter the public key of a device on the remote peer. Configuring IPSec for RSA-encrypted nonces is a five-step process:

1.Prepare for IPSec using RSA-encrypted nonces. This includes planning how to distribute the public keys.

2.Generate the RSA public/private keys manually.

3.Configure IKE using RSA-encrypted nonces.

4.Configure IPSec.

5.Test and verify IPSec.

You’ll work through each of these steps in this section, beginning with the first step.

Preparing for IPSec Using RSA-Encrypted Nonces

Sorry—you still need to answer all those questions outlined in the “Preparing for IKE and IPSec” section at the very beginning of this chapter, plus one more: What’s your plan for distributing the public keys to potential peers? (This has to be accomplished out of band.)

Generating the RSA Public/Private Keys Manually for RSA-Encrypted Nonces

This step is actually the biggest change from configuring IPSec utilizing pre-shared keys. It’s also the most involved step. When generating the RSA public/private keys manually, you’ve got five steps to follow:

1.Plan for configuring RSA.

2.Configure the device’s hostname and domain name.

3.Generate the RSA public/private keys.

4.Manually enter the RSA public key on remote devices.

5.Manage the RSA keys.

Planning for Configuring RSA

There are a few more questions to answer before you jump in and configure RSA so that the number of errors that can occur during configuration are kept to a minimum:

What peers will use RSA encryption? Make a list of these devices.

What type of RSA keys will you use? You have two choices: general-usage or specialusage keys.

What size of key modulus—a value between 360 and 2048 bits—do you want to use? The higher the bit value, the stronger the encryption.

Configuring the Device’s Hostname and Domain Name for RSA-Encrypted Nonces

Armed with the answers to the preceding questions, you’re ready to begin configuring these three items:

Because RSA encryption uses these three items for IKE identity, they must be properly configured in order for RSA to function. To configure the hostname of a device, enter the following command in global configuration mode, where hostname is the name of the device:

hostname hostname

The domain name is used in conjunction with the hostname to produce the fully qualified domain name for the device. You configure this by entering the following command in global configuration mode, where domain-name is the name of the domain:

ip domain-name domain-name

264 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

If a DNS server isn’t available, you only need to configure a static hostname-to-address mapping for each peer by entering the following command in global configuration mode:

ip host name [tcp-port-number] address1 [address2…address8]

The parameters for the preceding command are as follows:

name: The name of the remote device.

tcp-port-number: The CP port number to connect to when using the defined hostname in conjunction with an EXEC connect or Telnet command.

address1: The IP address you want bound to the hostname.

address2…address8: You can bind seven more addresses to the hostname.

Generating the RSA Public/Private Keys

Now you’re ready to generate the RSA public/private keys on each device, but before issuing the command to generate the keys, you need to decide if you want to create special-usage keys or general-usage keys. Special-usage keys generate two public/private key pairs per device—a good choice when you’re using RSA signatures and RSA-encrypted nonces on the same device and you don’t want them using the same keys. General-usage keys create one public/private key pair that will be used by both RSA signatures and RSA-encrypted nonces.

With the key-type decision out of the way, it’s time to start configuring. Enter the following command in global configuration mode:

crypto key generate rsa [usage-keys]

Be sure to use the usage-keys keyword when you want to generate special-usage keys. Once you’ve entered the command to generate the keys, the device prompts you to enter the

modulus length. This value tells the device the level of encryption strength to use—the higher the number, the stronger the encryption. Keep in mind that entering a higher value also means that it’ll take longer to generate those keys.

All right, let’s take a second and see what this process really looks like on a device. Oh, and keep in mind that this device already has its hostname and domain name configured. Here it is:

Lab_A#conf t

Enter configuration commands, one per line. End with CNTL/Z. Lab_A(config)#crypto key generate rsa

The name for the keys will be: Lab_A.mycorp.com

Choose the size of the key modulus in the range of 360 to 2048 for your

Signature Keys.

Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 512

Generating RSA keys… [OK]

% Key pair was generated at 10:22:30 UTC Dec 23 2002 Lab_A(config)#

Once your RSA keys have been generated, you need a way to view them so you can take the public key from one device and input it into another one. To check out the RSA public key, just enter the following command in privileged-exec mode:

show crypto key mypubkey rsa

Here’s a sample of what Lab_A would then show you:

Lab_A#show crypto key mypubkey rsa

Key name: Lab_A.mycorp.com

Usage: General Purpose Key

Key Data:

005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22

04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2

BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

The information below the words “Key Data” is the public key. Since you need to input this key into any device you want to peer with, it’s a brilliant idea to copy it down so you can transmit it out of band to remote devices.

Entering the RSA Public Key on Remote Devices Manually

Before you can enter the public key on any remote devices, you need to get into public key chain configuration mode. Do this by entering this command while in global configuration mode:

crypto key pubkey-chain rsa

You must specify whether the key is an addressed key or a named key. How the IKE identity has been configured on the device that generated the key decides this. If the IKE identity is address, you use the addressed key; if it’s hostname, use the named key. You can also specify whether the key is an encryption key or a signature key with the following rules:

Encryption specifies that the key will be an encryption special-usage key. Use this when you have generated special-usage keys and you are inputting the encryption key.

Signature specifies that the key will be a signature special-usage key. Use this when you have generated special-usage keys and you are inputting the signature key.

Not specifying the type of key makes it a general-purpose key. Use this when you generate general-usage keys.

While in public key chain configuration mode, enter one of the following commands:

addressed-key key-address {encryption | signature}

named-key key-name {encryption | signature}

In the addressed-key command, key-address is the IP address of the device that generated the key. In the named-key command, key-name is the fully qualified domain name of the device that generated the key.

266 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

Once you’ve specified the type of key and entered public key configuration mode, it’s time to issue the key-string command. After that, you input the public key. Once you’ve done that, use the quit command to return to public key configuration mode. Here’s the output caused by entering the key generated by Lab_A on Lab_B:

Lab_B#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Lab_B(config)#crypto key pubkey-chain rsa

Lab_B(config-pubkey-chain)#addressed-key 10.1.1.1

Lab_B(config-pubkey-key)#key-string

Lab_B(config-pubkey)#005C300D 06092A86 4886F70D 01010105 00034B00 30480241

00C5E23B 55D6AB22 04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9

DF0B4E4C 73A05DD2 BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4

71020301 0001

Lab_B(config-pubkey)#quit

Lab_B(config-pubkey-key)#^Z

Lab_B#

Verify that the key has been accepted by entering the command show crypto key pubkey-chain rsa in privileged-exec mode:

Lab_B#show crypto key pubkey-chain rsa

Codes: M - Manually configured, C - Extracted from Certificate

Code Usage IP-Address Name

MGeneral 10.1.1.1

To check out the actual key that you or someone else entered, use the show crypto key pubkey-chain rsa {address address | name name} command in privileged-exec mode:

Lab_B#show crypto key pubkey-chain rsa address 10.1.1.1

Key name:

Key address: 10.1.1.1

Usage: General Purpose Key

Source: Manual

Data:

005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22

04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2

BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001