%The subject name in the certificate will be: Lab_A.mycorp.com

%Include the router serial number in the subject name? [yes/no]: no

%Include an IP address in the subject name [yes/no]? yes

Interface: serial0/0

Request certificate from CA [yes/no]? yes

%Certificate request sent to Certificate Authority

%The certificate request fingerprint will be displayed.

%The 'show crypto ca certificate' command will also show the fingerprint. Lab_A(config)#

Verifying and Saving Your Configurations

Now once again, it’s verification time. Verifying CA interoperability introduces two new show commands to the group you met earlier in the “Entering the RSA Public Key on Remote Devices Manually” section earlier in this chapter. Your new friends are

The show crypto ca certificates command that can be entered in privileged-exec mode to display information about a device’s certificate, the CA server certificate, and any RA certificates

The show crypto ca roots command that can also be entered in privileged-exec mode to display information about the CA roots configured on the device

You should always save your configuration after you make changes. After all this work, it would be a shame to lose it all now!

Use the copy system:running-config nvram:startup-config command to save your configuration. This saves the RSA keys as well. Saving to a TFTP server or using the Remote Copy Protocol (RCP) to save your configuration will not save the RSA keys.

Configuring IKE Using CA

IKE is configured the same way it was for pre-shared keys and RSA-encrypted nonces with one exception: the authentication method used. You need to enter the command authentication rsa-sig in IKE policy configuration mode. You verify the IKE policy using the same commands I showed you earlier.

Configuring IPSec for CA

IPSec for CA is configured in the same exact way as IPSec utilizing pre-shared keys and IPSec for RSA-encrypted nonces with no exceptions. If you’re less than clear on this, refer back to the section titled “Configuring IPSec” earlier in this chapter.

Sweet—you’re almost there—stay with me! Before moving on to testing and verifying IPSec for CA, let’s look at how all these steps come together.

274 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

To help you see the whole picture, you’re going to configure IPSec for CA between devices Lab_A and Lab_B in Exercise 8.3. Recall once again the corporate network shown in the following graphic:

Let’s get started by dividing the process of configuring IPSec for CA into four steps:

1.Generate RSA public/private keys.

2.Configure CA support.

3.Configure IKE.

4.Configure IPSec.

Both hostnames and domain names have already been configured on the devices.

E X E R C I S E 8 . 3

Configuring IPSec for the CA Network

This exercise will have you configure IPSec using CA on the corporate network example.

1.First, you need to generate the public/private keys on each device using the following commands:

Lab_A#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Lab_A(config)#crypto key generate rsa

The name for the keys will be: Lab_A.mycorp.com

Choose the size of the key modulus in the range of 360 to 2048 for your

Signature Keys.

Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 512

Generating RSA keys… [OK]

% Key pair was generated at 10:22:30 UTC Dec 23 2002 Lab_A(config)#

Lab_B#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Lab_B(config)#crypto key generate rsa

The name for the keys will be: Lab_B.mycorp.com

Choose the size of the key modulus in the range of 360 to 2048 for your

Signature Keys.

Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 512

Generating RSA keys… [OK]

276 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

E X E R C I S E 8 . 3 ( c o n t i n u e d )

% Key pair was generated at 10:22:30 UTC Dec 23 2002 Lab_B(config)#

2. Next, you need to configure CA support on each device using the following parameters: CA name: test_ca.

Enrollment URL: http://ca_server.

The devices need to ignore the CRL if one cannot be found.

The CA server doesn’t support LDAP.

Use the following commands to configure CA support:

Lab_A(config)#crypto ca identity test_ca

Lab_A(ca-identity)#enrollment url http://ca_server

Lab_A(ca-identity)#crl optional

Lab_A(ca-identity)#exit

Lab_A(config)#crypto ca authenticate test_ca

Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no]#y

Lab_A(config)#crypto ca enroll test_ca

%

%Start certificate enrollment.

%Create a challenge password. You will need to verbally provide this password

to the CA Administrator in order to revoke your certificate. For security

reasons your password will not be saved in the configuration. Please make

a note of it.

Password: cisco

Re-enter password: cisco

%The subject name in the certificate will be: Lab_A.mycorp.com

%Include the router serial number in the subject name? [yes/no]: no

E X E R C I S E 8 . 3 ( c o n t i n u e d )

% Include an IP address in the subject name [yes/no]? yes

Interface: serial0/0

Request certificate from CA [yes/no]? yes

%Certificate request sent to Certificate Authority

%The certificate request fingerprint will be displayed.

%The 'show crypto ca certificate' command will also show the fingerprint. Lab_A(config)#

Lab_B(config)#crypto ca identity test_ca

Lab_B(ca-identity)#enrollment url http://ca_server

Lab_B(ca-identity)#crl optional

Lab_B(ca-identity)#exit

Lab_B(config)#crypto ca authenticate test_ca

Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no]#y

Lab_B(config)#crypto ca enroll test_ca

%

%Start certificate enrollment.

%Create a challenge password. You will need to verbally provide this password

to the CA Administrator in order to revoke your certificate. For security

reasons your password will not be saved in the configuration. Please make

a note of it.

Password: cisco

Re-enter password: cisco

%The subject name in the certificate will be: Lab_A.mycorp.com

%Include the router serial number in the subject name? [yes/no]: no

278 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

E X E R C I S E 8 . 3 ( c o n t i n u e d )

% Include an IP address in the subject name [yes/no]? yes

Interface: serial1/0

Request certificate from CA [yes/no]? yes

%Certificate request sent to Certificate Authority

%The certificate request fingerprint will be displayed.

%The 'show crypto ca certificate' command will also show the fingerprint. Lab_B(config)#

3.Configure IKE between the Lab_A device and the Lab_B device with the following parameters: Lab_A interface Serial 0/0 with IP address 10.1.1.1 /24

Lab_B interface Serial 1/0 with IP address 10.1.1.2 /24 Lab_A IKE policy priority equals 2

Lab_B IKE policy priority equals 2 3DES message encryption

MD5 message hash Authentication method: rsa-sig

Default Diffie-Hellman group for both devices Default IKE SA lifetime for both devices

IKE identity as the address for both devices

Use the following commands to configure IKE:

Lab_A(config)#crypto isakmp enable

Lab_A(config)#crypto isakmp policy 2

Lab_A(config-isakmp)#encryption 3des

Lab_A(config-isakmp)#hash md5

Lab_A(config-isakmp)#authentication rsa-sig

Lab_A(config-isakmp)#exit

Lab_A(config)#

E X E R C I S E 8 . 3 ( c o n t i n u e d )

Lab_B(config)#crypto isakmp enable

Lab_B(config)#crypto isakmp policy 2

Lab_B(config-isakmp)#encryption 3des

Lab_B(config-isakmp)#hash md5

Lab_B(config-isakmp)#authentication rsa-sig

Lab_B(config-isakmp)#exit

Lab_B(config)#

4.Finally, it’s time to configure IPSec, moving through the following list from beginning to end:

Create a transform set on each device named test using esp-des and tunnel mode.

Leave the global IPSec SA lifetimes set to their defaults.

Create a symmetrical extended access list on each device that will permit traffic from networks 172.16.2.0 /24 and 172.16.1.0 /24.

Create a crypto map on each device using the name test1 and sequence number 100.

Each sequence should use the transform set test and the extended access list just created, and set the peer to the IP address of the outgoing interface of the remote device.

Apply the crypto map to each device’s outgoing interface.

Use the following commands to configure IPSec:

Lab_A(config)#crypto ipsec tramsform-set test esp-des

Lab_A(cfg-crypto-trans)#exit

Lab_A(config)#access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

Lab_A(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

Lab_A(config)#cryto map test1 100 ipsec-isakmp

Lab_A(config-crypto-map)#match address 100

Lab_A(config-crypto-map)#set transform-set test

Lab_A(config-crypto-map)#set peer 10.1.1.2

Lab_A(config-crypto-map)#exit