In the last post, we explored how to configure FlexVPN point-to-point IKEv2 S-VTI’s with preshared keys. In this post, we will do the same but this time using another CSR1000v acting as a CA server. This will allow us to authenticate each peer based on digitally issued certificates before the IKEv2 IPsec session is established.
The underlying network is already configured and so the following configuration will focus solely on the FlexVPN configuration.
Devices
- R12 – Configured to be used as a CA Server
- R9 – Site one
- R10 – Site two
Topology

R12 – CA Server Configuration
Configure Domain Services & NTP
ip domain lookup
ip name-server 8.8.8.8
ip domain-name networkwizkid.com
ntp server 0.uk.pool.ntp.org
ntp master 3
ntp trusted key 1
Verify Domain Services & NTP
R12(config)#do show ntp associations
address ref clock st when poll reach delay offset disp
*~188.114.116.1 114.199.6.79 2 1 64 17 13.971 11.607 1.832
~127.127.1.1 .LOCL. 2 5 16 377 0.000 0.000 1.204
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R12(config)#do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.169.78, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/13 ms
Configure the CA Server
crypto pki server CA-SERVER
issuer-name CN=R12 , O=Network Wizkid , C=UK
hash sha256
grant auto
no shut
------THE FOLLOWING OUTPUT IS PRESENTED AND A PASSWORD WILL HAVE TO BE ENTERED TO PROTECT THE PRIVATE KEY------
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
% Certificate Server enabled.
Configure R9
Configure Domain Services & NTP
ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1
Verify Domain Services & NTP
do show ntp associations
address ref clock st when poll reach delay offset disp
*~30.1.3.1 188.114.116.1 3 23 64 377 1.000 24.500 5.153
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms
Configure the CA Trustpoint
crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r9.networkwizkid.com
revocation-check none
rsakeypair r9.networkwizkid.com
hash sha256
Authenticate the Trustpoint & Enroll R9 into R12’s PKI
crypto pki authenticate CA-SERVER
------THE FOLLOWING IS OUTPUT; THE FINGERPRINT CAN BE VERIFIED ON R12------
crypto pki authenticate CA-SERVER
Certificate has the following attributes:
Fingerprint MD5: 84B8D459 EA6B590A 2C48D83B 0C7055B7
Fingerprint SHA1: D0D6B3F4 817D1738 24D7B5FA 72D36A27 111225BF
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
crypto pki enroll CA-SERVER
------THE FOLLOWING IS OUTPUT; CREATE CHALLENGE PASSWORD------
Password:
Re-enter password:
% The subject name in the certificate will include: cn=r9.networkwizkid.com
% The subject name in the certificate will include: R9.networkwizkid.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 9Y3KZ11JVX4
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CA-SERVER' commandwill show the fingerprint.
Verify Issued Certificates on R9
do show crypto pki certificates
------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------
Configure R9 FlexVPN IKEv2 S-VTI Parameters
Configure the Certificate Map
crypto pki certificate map CRYPTO-CERT-MAP 5
issuer-name co r12
Configure the IKEv2 Profile
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 30.1.1.2 255.255.255.0
match certificate CRYPTO-CERT-MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA-SERVER
Configure the IPsec Profile
crypto ipsec profile IPSEC-PROFILE
set ikev2-profile IKEV2-PROFILE
Configure the Tunnel Interface
interface Tunnel0
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel destination 30.1.1.2
tunnel protection ipsec profile IPSEC-PROFILE
Configure the IP Route for Interesting Traffic
ip route 40.0.1.0 255.255.255.0 Tunnel0
Configure R10
Configure Domain Services & NTP
ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1
Verify Domain Services & NTP
show ntp associations
address ref clock st when poll reach delay offset disp
*~30.1.3.1 188.114.116.1 3 160 256 377 3.000 -6.500 2.839
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/14 ms
Configure the CA Trustpoint
crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r10.networkwizkid.com
revocation-check none
rsakeypair r10.networkwizkid.com
hash sha256
Authenticate the Trustpoint & Enroll R10 into R12’s PKI
crypto pki authenticate CA-SERVER
crypto pki enroll CA-SERVER
Verify Issued Certificates on R10
do show crypto pki certificates
------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------
Configure R10 FlexVPN IKEv2 S-VTI Parameters
Configure the Certificate Map
crypto pki certificate map CRYPTO-CERT-MAP 5
issuer-name co r12
Configure the IKEv2 Profile
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 30.1.2.2 255.255.255.0
match certificate CRYPTO-CERT-MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA-SERVER
Configure the IPsec Profile
crypto ipsec profile IPSEC-PROFILE
set ikev2-profile IKEV2-PROFILE
Configure the Tunnel Interface
interface Tunnel0
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel destination 30.1.2.2
tunnel protection ipsec profile IPSEC-PROFILE
Configure the IP Route for Interesting Traffic
ip route 40.0.2.0 255.255.255.0 Tunnel0
Verify FlexVPN Establishment
R9 Verification
R9#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 30.1.1.2 YES NVRAM up up
Loopback0 40.0.1.1 YES manual up up
Tunnel0 30.1.1.2 YES TFTP up up
R9#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 30.1.1.2/500 30.1.2.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/4455 sec
show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 30.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (30.1.1.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (30.1.2.2/255.255.255.255/47/0)
current_peer 30.1.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 245, #pkts encrypt: 245, #pkts digest: 245
#pkts decaps: 246, #pkts decrypt: 246, #pkts verify: 246
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.1.1.2, remote crypto endpt.: 30.1.2.2
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x2076344D(544617549)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xAA8DDBE6(2861423590)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607972/2462)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2076344D(544617549)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607984/2462)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R10 Verification
R10#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 30.1.2.2 YES NVRAM up up
Loopback0 40.0.2.1 YES manual up up
Tunnel0 30.1.2.2 YES TFTP up up
R10#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 30.1.2.2/500 30.1.1.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/4567 sec
R10#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 30.1.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (30.1.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (30.1.1.2/255.255.255.255/47/0)
current_peer 30.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 999, #pkts encrypt: 999, #pkts digest: 999
#pkts decaps: 995, #pkts decrypt: 995, #pkts verify: 995
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.1.2.2, remote crypto endpt.: 30.1.1.2
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xAA8DDBE6(2861423590)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2076344D(544617549)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607969/2358)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAA8DDBE6(2861423590)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607983/2358)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: