In this post, we’re going to configure an IPSec site-to-site VPN with two CSR1000v routers. The authentication between the two routers will be performed using digital certificates issued from a separate Cisco CSR1000v router which is acting as a CA server.
Topology

Devices
- R12 – Acting as the CA Server
- R9 – Site one (VPN headend one)
- R10 – Site two (VPN headend two)
R12 – CA Server Configuration
Configure Domain Services & NTP
ip domain lookup
ip name-server 8.8.8.8
ip domain-name networkwizkid.com
ntp server 0.uk.pool.ntp.org
ntp master 3
ntp trusted key 1
Verify Domain Services & NTP
R12(config)#do show ntp associations
address ref clock st when poll reach delay offset disp
*~188.114.116.1 114.199.6.79 2 1 64 17 13.971 11.607 1.832
~127.127.1.1 .LOCL. 2 5 16 377 0.000 0.000 1.204
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R12(config)#do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.169.78, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/13 ms
Configure the CA Server
crypto pki server CA-SERVER
issuer-name CN=R12 , O=Network Wizkid , C=UK
hash sha256
grant auto
no shut
------THE FOLLOWING OUTPUT IS PRESENTED AND A PASSWORD WILL HAVE TO BE ENTERED TO PROTECT THE PRIVATE KEY------
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
% Certificate Server enabled.
Configure R9
Configure Domain Services & NTP
ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1
Verify Domain Services & NTP
do show ntp associations
address ref clock st when poll reach delay offset disp
*~30.1.3.1 188.114.116.1 3 23 64 377 1.000 24.500 5.153
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms
Configure the CA Trustpoint
crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r9.networkwizkid.com
revocation-check none
rsakeypair r9.networkwizkid.com
hash sha256
Authenticate the Trustpoint & Enroll R9 into R12’s PKI
crypto pki authenticate CA-SERVER
------THE FOLLOWING IS OUTPUT; THE FINGERPRINT CAN BE VERIFIED ON R12------
crypto pki authenticate CA-SERVER
Certificate has the following attributes:
Fingerprint MD5: 84B8D459 EA6B590A 2C48D83B 0C7055B7
Fingerprint SHA1: D0D6B3F4 817D1738 24D7B5FA 72D36A27 111225BF
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
crypto pki enroll CA-SERVER
------THE FOLLOWING IS OUTPUT; CREATE CHALLENGE PASSWORD------
Password:
Re-enter password:
% The subject name in the certificate will include: cn=r9.networkwizkid.com
% The subject name in the certificate will include: R9.networkwizkid.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 9Y3KZ11JVX4
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CA-SERVER' commandwill show the fingerprint.
Verify Issued Certificates on R9
do show crypto pki certificates
------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------
Configure IPSec VPN Parameters on R9
Configure the ISAKMP Policy
crypto isakmp policy 5
hash sha256
crypto isakmp profile ISAKMP-PROFILE
match certificate IKEV2-CERT-MAP
Configure the IPSec Transform-set
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac
mode tunnel
Configure the IPSec Profile
crypto ipsec profile IPSEC-PROFILE
set transform-set TRANSFORM-SET
set isakmp-profile ISAKMP-PROFILE
Configure ACL for Interesting Traffic
ip access-list extended CRYPTO-ACL
permit ip host 40.0.1.1 host 40.0.2.1 log
Configure the Crypto Map
crypto map CRYPTO-MAP 10 ipsec-isakmp
set peer 30.1.2.2
set transform-set TRANSFORM-SET
set isakmp-profile ISAKMP-PROFILE
match address CRYPTO-ACL
Apply Crypto Map to External Facing Interface
int g1
crypto map CRYPTO-MAP
Configure R10
Configure Domain Services & NTP
ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1
Verify Domain Services & NTP
show ntp associations
address ref clock st when poll reach delay offset disp
*~30.1.3.1 188.114.116.1 3 160 256 377 3.000 -6.500 2.839
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/14 ms
Configure the CA Trustpoint
crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r10.networkwizkid.com
revocation-check none
rsakeypair r10.networkwizkid.com
hash sha256
Authenticate the Trustpoint & Enroll R10 into R12’s PKI
crypto pki authenticate CA-SERVER
crypto pki enroll CA-SERVER
Verify Issued Certificates on R10
do show crypto pki certificates
------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------
Configure IPSec VPN Parameters on R10
Configure the ISAKMP Policy
crypto isakmp policy 5
hash sha256
crypto isakmp profile ISAKMP-PROFILE
match certificate IKEV2-CERT-MAP
Configure the IPSec Transform-set
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac
mode tunnel
Configure the IPSec Profile
crypto ipsec profile IPSEC-PROFILE
set transform-set TRANSFORM-SET
set isakmp-profile ISAKMP-PROFILE
Configure ACL for Interesting Traffic
ip access-list extended CRYPTO-ACL
permit ip host 40.0.2.1 host 40.0.1.1 log
Configure the Crypto Map
crypto map CRYPTO-MAP 10 ipsec-isakmp
set peer 30.1.1.2
set transform-set TRANSFORM-SET
set isakmp-profile ISAKMP-PROFILE
match address CRYPTO-ACL
Apply Crypto Map to External Facing Interface
int g1
crypto map CRYPTO-MAP
Verify Site-to-Site IPsec VPN
Verify Reachability to R10 via VPN
R9#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
R9#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Verify ISAKMP SA on R9
R9#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
43123 30.1.1.2 30.1.2.2 ACTIVE des sha256 rsig 1 07:57:53
Engine-id:Conn-id = SW:1123
IPv6 Crypto ISAKMP SA
R9#show crypto isakmp peers
Peer: 30.1.2.2 Port: 500 Local: 30.1.1.2
Phase1 id: R10.networkwizkid.com
Verify IPSec SA on R9
R9#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: CRYPTO-MAP, local addr 30.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (40.0.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (40.0.2.1/255.255.255.255/0/0)
current_peer 30.1.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.1.1.2, remote crypto endpt.: 30.1.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xA2F4612C(2733924652)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3ED1C05C(1053933660)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2805, flow_id: CSR:805, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4607998/2272)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA2F4612C(2733924652)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2806, flow_id: CSR:806, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4607999/2272)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Verify Reachability to R10 via VPN
R10#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Verify ISAKMP SA on R10
R10#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
43121 30.1.2.2 30.1.1.2 ACTIVE des sha256 rsig 1 23:33:20
Engine-id:Conn-id = SW:1121
IPv6 Crypto ISAKMP SA
R10#show crypto isakmp peers
Peer: 30.1.1.2 Port: 500 Local: 30.1.2.2
Phase1 id: R9.networkwizkid.com
Verify IPSec SA on R10
R10#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: CRYPTO-MAP, local addr 30.1.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (40.0.2.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (40.0.1.1/255.255.255.255/0/0)
current_peer 30.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 42, #pkts encrypt: 42, #pkts digest: 42
#pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.1.2.2, remote crypto endpt.: 30.1.1.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x3ED1C05C(1053933660)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xA2F4612C(2733924652)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2811, flow_id: CSR:811, sibling_flags FFFFFFFF80000048, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4607998/1935)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3ED1C05C(1053933660)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2812, flow_id: CSR:812, sibling_flags FFFFFFFF80000048, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4607999/1935)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: