Configuring FlexVPN Point-to-Point IKEv2 S-VTI with PKI Authentication

Photo by Christina Morillo on Pexels.com

In the last post, we explored how to configure FlexVPN point-to-point IKEv2 S-VTI’s with preshared keys. In this post, we will do the same but this time using another CSR1000v acting as a CA server. This will allow us to authenticate each peer based on digitally issued certificates before the IKEv2 IPsec session is established.

The underlying network is already configured and so the following configuration will focus solely on the FlexVPN configuration.

Devices

  • R12 – Configured to be used as a CA Server
  • R9 – Site one
  • R10 – Site two

Topology

R12 – CA Server Configuration

Configure Domain Services & NTP

ip domain lookup
ip name-server 8.8.8.8
ip domain-name networkwizkid.com
ntp server 0.uk.pool.ntp.org
ntp master 3
ntp trusted key 1

Verify Domain Services & NTP

R12(config)#do show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~188.114.116.1   114.199.6.79     2      1     64    17 13.971  11.607  1.832
 ~127.127.1.1     .LOCL.           2      5     16   377  0.000   0.000  1.204
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

R12(config)#do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.169.78, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/13 ms

Configure the CA Server

crypto pki server CA-SERVER
issuer-name CN=R12 , O=Network Wizkid , C=UK
hash sha256
grant auto
no shut

------THE FOLLOWING OUTPUT IS PRESENTED AND A PASSWORD WILL HAVE TO BE ENTERED TO PROTECT THE PRIVATE KEY------

%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

% Certificate Server enabled.

Configure R9

Configure Domain Services & NTP

ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1

Verify Domain Services & NTP

do show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~30.1.3.1        188.114.116.1    3     23     64   377  1.000  24.500  5.153
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms

Configure the CA Trustpoint

crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r9.networkwizkid.com
revocation-check none
rsakeypair r9.networkwizkid.com
hash sha256

Authenticate the Trustpoint & Enroll R9 into R12’s PKI

crypto pki authenticate CA-SERVER
------THE FOLLOWING IS OUTPUT; THE FINGERPRINT CAN BE VERIFIED ON R12------
crypto pki authenticate CA-SERVER
Certificate has the following attributes:
       Fingerprint MD5: 84B8D459 EA6B590A 2C48D83B 0C7055B7
      Fingerprint SHA1: D0D6B3F4 817D1738 24D7B5FA 72D36A27 111225BF

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

crypto pki enroll CA-SERVER
------THE FOLLOWING IS OUTPUT; CREATE CHALLENGE PASSWORD------
Password:
Re-enter password:

% The subject name in the certificate will include: cn=r9.networkwizkid.com
% The subject name in the certificate will include: R9.networkwizkid.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 9Y3KZ11JVX4
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CA-SERVER' commandwill show the fingerprint.

Verify Issued Certificates on R9

do show crypto pki certificates

------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------

Configure R9 FlexVPN IKEv2 S-VTI Parameters

Configure the Certificate Map

crypto pki certificate map CRYPTO-CERT-MAP 5
 issuer-name co r12

Configure the IKEv2 Profile

crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 30.1.1.2 255.255.255.0
 match certificate CRYPTO-CERT-MAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA-SERVER

Configure the IPsec Profile

crypto ipsec profile IPSEC-PROFILE
 set ikev2-profile IKEV2-PROFILE

Configure the Tunnel Interface

interface Tunnel0
 ip unnumbered GigabitEthernet1
 tunnel source GigabitEthernet1
 tunnel destination 30.1.1.2
 tunnel protection ipsec profile IPSEC-PROFILE

Configure the IP Route for Interesting Traffic

ip route 40.0.1.0 255.255.255.0 Tunnel0

Configure R10

Configure Domain Services & NTP

ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1

Verify Domain Services & NTP

show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~30.1.3.1        188.114.116.1    3    160    256   377  3.000  -6.500  2.839
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/14 ms

Configure the CA Trustpoint

crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r10.networkwizkid.com
revocation-check none
rsakeypair r10.networkwizkid.com
hash sha256

Authenticate the Trustpoint & Enroll R10 into R12’s PKI

crypto pki authenticate CA-SERVER

crypto pki enroll CA-SERVER

Verify Issued Certificates on R10

do show crypto pki certificates

------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------

Configure R10 FlexVPN IKEv2 S-VTI Parameters

Configure the Certificate Map

crypto pki certificate map CRYPTO-CERT-MAP 5
 issuer-name co r12

Configure the IKEv2 Profile

crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 30.1.2.2 255.255.255.0
 match certificate CRYPTO-CERT-MAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA-SERVER

Configure the IPsec Profile

crypto ipsec profile IPSEC-PROFILE
 set ikev2-profile IKEV2-PROFILE

Configure the Tunnel Interface

interface Tunnel0
 ip unnumbered GigabitEthernet1
 tunnel source GigabitEthernet1
 tunnel destination 30.1.2.2
 tunnel protection ipsec profile IPSEC-PROFILE

Configure the IP Route for Interesting Traffic

ip route 40.0.2.0 255.255.255.0 Tunnel0

Verify FlexVPN Establishment

R9 Verification

R9#show ip int br
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       30.1.1.2        YES NVRAM  up                    up
Loopback0              40.0.1.1        YES manual up                    up
Tunnel0                30.1.1.2        YES TFTP   up                    up

R9#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         30.1.1.2/500          30.1.2.2/500          none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/4455 sec

show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 30.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.1.1.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (30.1.2.2/255.255.255.255/47/0)
   current_peer 30.1.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 245, #pkts encrypt: 245, #pkts digest: 245
    #pkts decaps: 246, #pkts decrypt: 246, #pkts verify: 246
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.1.1.2, remote crypto endpt.: 30.1.2.2
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x2076344D(544617549)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xAA8DDBE6(2861423590)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4607972/2462)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2076344D(544617549)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4607984/2462)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

R10 Verification

R10#show ip int br
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       30.1.2.2        YES NVRAM  up                    up
Loopback0              40.0.2.1        YES manual up                    up
Tunnel0                30.1.2.2        YES TFTP   up                    up

R10#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         30.1.2.2/500          30.1.1.2/500          none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/4567 sec

R10#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 30.1.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.1.2.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (30.1.1.2/255.255.255.255/47/0)
   current_peer 30.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 999, #pkts encrypt: 999, #pkts digest: 999
    #pkts decaps: 995, #pkts decrypt: 995, #pkts verify: 995
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.1.2.2, remote crypto endpt.: 30.1.1.2
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xAA8DDBE6(2861423590)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x2076344D(544617549)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4607969/2358)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xAA8DDBE6(2861423590)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4607983/2358)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: