Configuring IPSec Site-to-Site VPN’s using IOS-XE as a CA Server

Photo by Christina Morillo on Pexels.com

In this post, we’re going to configure an IPSec site-to-site VPN with two CSR1000v routers. The authentication between the two routers will be performed using digital certificates issued from a separate Cisco CSR1000v router which is acting as a CA server.

Topology

Devices

  • R12 – Acting as the CA Server
  • R9 – Site one (VPN headend one)
  • R10 – Site two (VPN headend two)

R12 – CA Server Configuration

Configure Domain Services & NTP

ip domain lookup
ip name-server 8.8.8.8
ip domain-name networkwizkid.com
ntp server 0.uk.pool.ntp.org
ntp master 3
ntp trusted key 1

Verify Domain Services & NTP

R12(config)#do show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~188.114.116.1   114.199.6.79     2      1     64    17 13.971  11.607  1.832
 ~127.127.1.1     .LOCL.           2      5     16   377  0.000   0.000  1.204
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

R12(config)#do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.169.78, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/13 ms

Configure the CA Server

crypto pki server CA-SERVER
issuer-name CN=R12 , O=Network Wizkid , C=UK
hash sha256
grant auto
no shut

------THE FOLLOWING OUTPUT IS PRESENTED AND A PASSWORD WILL HAVE TO BE ENTERED TO PROTECT THE PRIVATE KEY------

%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

% Certificate Server enabled.

Configure R9

Configure Domain Services & NTP

ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1

Verify Domain Services & NTP

do show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~30.1.3.1        188.114.116.1    3     23     64   377  1.000  24.500  5.153
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms

Configure the CA Trustpoint

crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r9.networkwizkid.com
revocation-check none
rsakeypair r9.networkwizkid.com
hash sha256

Authenticate the Trustpoint & Enroll R9 into R12’s PKI

crypto pki authenticate CA-SERVER
------THE FOLLOWING IS OUTPUT; THE FINGERPRINT CAN BE VERIFIED ON R12------
crypto pki authenticate CA-SERVER
Certificate has the following attributes:
       Fingerprint MD5: 84B8D459 EA6B590A 2C48D83B 0C7055B7
      Fingerprint SHA1: D0D6B3F4 817D1738 24D7B5FA 72D36A27 111225BF

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

crypto pki enroll CA-SERVER
------THE FOLLOWING IS OUTPUT; CREATE CHALLENGE PASSWORD------
Password:
Re-enter password:

% The subject name in the certificate will include: cn=r9.networkwizkid.com
% The subject name in the certificate will include: R9.networkwizkid.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 9Y3KZ11JVX4
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CA-SERVER' commandwill show the fingerprint.

Verify Issued Certificates on R9

do show crypto pki certificates

------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------

Configure IPSec VPN Parameters on R9

Configure the ISAKMP Policy

crypto isakmp policy 5
 hash sha256
crypto isakmp profile ISAKMP-PROFILE
   match certificate IKEV2-CERT-MAP

Configure the IPSec Transform-set

crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac
 mode tunnel

Configure the IPSec Profile

crypto ipsec profile IPSEC-PROFILE
 set transform-set TRANSFORM-SET
 set isakmp-profile ISAKMP-PROFILE

Configure ACL for Interesting Traffic

ip access-list extended CRYPTO-ACL
 permit ip host 40.0.1.1 host 40.0.2.1 log

Configure the Crypto Map

crypto map CRYPTO-MAP 10 ipsec-isakmp
 set peer 30.1.2.2
 set transform-set TRANSFORM-SET
 set isakmp-profile ISAKMP-PROFILE
 match address CRYPTO-ACL

Apply Crypto Map to External Facing Interface

int g1
crypto map CRYPTO-MAP

Configure R10

Configure Domain Services & NTP

ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1

Verify Domain Services & NTP

show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~30.1.3.1        188.114.116.1    3    160    256   377  3.000  -6.500  2.839
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/14 ms

Configure the CA Trustpoint

crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r10.networkwizkid.com
revocation-check none
rsakeypair r10.networkwizkid.com
hash sha256

Authenticate the Trustpoint & Enroll R10 into R12’s PKI

crypto pki authenticate CA-SERVER

crypto pki enroll CA-SERVER

Verify Issued Certificates on R10

do show crypto pki certificates

------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------

Configure IPSec VPN Parameters on R10

Configure the ISAKMP Policy

crypto isakmp policy 5
 hash sha256
crypto isakmp profile ISAKMP-PROFILE
   match certificate IKEV2-CERT-MAP

Configure the IPSec Transform-set

crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac
 mode tunnel

Configure the IPSec Profile

crypto ipsec profile IPSEC-PROFILE
 set transform-set TRANSFORM-SET
 set isakmp-profile ISAKMP-PROFILE

Configure ACL for Interesting Traffic

ip access-list extended CRYPTO-ACL
 permit ip host 40.0.2.1 host 40.0.1.1 log

Configure the Crypto Map

crypto map CRYPTO-MAP 10 ipsec-isakmp
 set peer 30.1.1.2
 set transform-set TRANSFORM-SET
 set isakmp-profile ISAKMP-PROFILE
 match address CRYPTO-ACL

Apply Crypto Map to External Facing Interface

int g1
crypto map CRYPTO-MAP

Verify Site-to-Site IPsec VPN

Verify Reachability to R10 via VPN

R9#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
R9#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

Verify ISAKMP SA on R9

R9#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

43123 30.1.1.2        30.1.2.2               ACTIVE des  sha256 rsig 1  07:57:53
       Engine-id:Conn-id =  SW:1123

IPv6 Crypto ISAKMP SA

R9#show crypto isakmp peers
Peer: 30.1.2.2 Port: 500 Local: 30.1.1.2
 Phase1 id: R10.networkwizkid.com

Verify IPSec SA on R9

R9#show crypto ipsec sa

interface: GigabitEthernet1
    Crypto map tag: CRYPTO-MAP, local addr 30.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (40.0.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (40.0.2.1/255.255.255.255/0/0)
   current_peer 30.1.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.1.1.2, remote crypto endpt.: 30.1.2.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xA2F4612C(2733924652)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3ED1C05C(1053933660)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2805, flow_id: CSR:805, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607998/2272)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA2F4612C(2733924652)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2806, flow_id: CSR:806, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607999/2272)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Verify Reachability to R10 via VPN

R10#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Verify ISAKMP SA on R10

R10#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

43121 30.1.2.2        30.1.1.2               ACTIVE des  sha256 rsig 1 23:33:20
       Engine-id:Conn-id =  SW:1121

IPv6 Crypto ISAKMP SA

R10#show crypto isakmp peers
Peer: 30.1.1.2 Port: 500 Local: 30.1.2.2
 Phase1 id: R9.networkwizkid.com

Verify IPSec SA on R10

R10#show crypto ipsec sa

interface: GigabitEthernet1
    Crypto map tag: CRYPTO-MAP, local addr 30.1.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (40.0.2.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (40.0.1.1/255.255.255.255/0/0)
   current_peer 30.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 42, #pkts encrypt: 42, #pkts digest: 42
    #pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.1.2.2, remote crypto endpt.: 30.1.1.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x3ED1C05C(1053933660)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xA2F4612C(2733924652)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2811, flow_id: CSR:811, sibling_flags FFFFFFFF80000048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607998/1935)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3ED1C05C(1053933660)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2812, flow_id: CSR:812, sibling_flags FFFFFFFF80000048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607999/1935)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: