You are currently viewing Configuring IPSec Site-to-Site VPN’s using IOS-XE as a CA Server
Photo by Christina Morillo on Pexels.com

Configuring IPSec Site-to-Site VPN’s using IOS-XE as a CA Server

In this post, we’re going to configure an IPSec site-to-site VPN with two CSR1000v routers. The authentication between the two routers will be performed using digital certificates issued from a separate Cisco CSR1000v router which is acting as a CA server.

Topology

Devices

  • R12 – Acting as the CA Server
  • R9 – Site one (VPN headend one)
  • R10 – Site two (VPN headend two)

R12 – CA Server Configuration

Configure Domain Services & NTP

ip domain lookup
ip name-server 8.8.8.8
ip domain-name networkwizkid.com
ntp server 0.uk.pool.ntp.org
ntp master 3
ntp trusted key 1

Verify Domain Services & NTP

R12(config)#do show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~188.114.116.1   114.199.6.79     2      1     64    17 13.971  11.607  1.832
 ~127.127.1.1     .LOCL.           2      5     16   377  0.000   0.000  1.204
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

R12(config)#do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.169.78, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/13 ms

Configure the CA Server

crypto pki server CA-SERVER
issuer-name CN=R12 , O=Network Wizkid , C=UK
hash sha256
grant auto
no shut

------THE FOLLOWING OUTPUT IS PRESENTED AND A PASSWORD WILL HAVE TO BE ENTERED TO PROTECT THE PRIVATE KEY------

%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

% Certificate Server enabled.

Configure R9

Configure Domain Services & NTP

ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1

Verify Domain Services & NTP

do show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~30.1.3.1        188.114.116.1    3     23     64   377  1.000  24.500  5.153
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

do ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms

Configure the CA Trustpoint

crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r9.networkwizkid.com
revocation-check none
rsakeypair r9.networkwizkid.com
hash sha256

Authenticate the Trustpoint & Enroll R9 into R12’s PKI

crypto pki authenticate CA-SERVER
------THE FOLLOWING IS OUTPUT; THE FINGERPRINT CAN BE VERIFIED ON R12------
crypto pki authenticate CA-SERVER
Certificate has the following attributes:
       Fingerprint MD5: 84B8D459 EA6B590A 2C48D83B 0C7055B7
      Fingerprint SHA1: D0D6B3F4 817D1738 24D7B5FA 72D36A27 111225BF

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

crypto pki enroll CA-SERVER
------THE FOLLOWING IS OUTPUT; CREATE CHALLENGE PASSWORD------
Password:
Re-enter password:

% The subject name in the certificate will include: cn=r9.networkwizkid.com
% The subject name in the certificate will include: R9.networkwizkid.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 9Y3KZ11JVX4
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CA-SERVER' commandwill show the fingerprint.

Verify Issued Certificates on R9

do show crypto pki certificates

------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------

Configure IPSec VPN Parameters on R9

Configure the ISAKMP Policy

crypto isakmp policy 5
 hash sha256
crypto isakmp profile ISAKMP-PROFILE
   match certificate IKEV2-CERT-MAP

Configure the IPSec Transform-set

crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac
 mode tunnel

Configure the IPSec Profile

crypto ipsec profile IPSEC-PROFILE
 set transform-set TRANSFORM-SET
 set isakmp-profile ISAKMP-PROFILE

Configure ACL for Interesting Traffic

ip access-list extended CRYPTO-ACL
 permit ip host 40.0.1.1 host 40.0.2.1 log

Configure the Crypto Map

crypto map CRYPTO-MAP 10 ipsec-isakmp
 set peer 30.1.2.2
 set transform-set TRANSFORM-SET
 set isakmp-profile ISAKMP-PROFILE
 match address CRYPTO-ACL

Apply Crypto Map to External Facing Interface

int g1
crypto map CRYPTO-MAP

Configure R10

Configure Domain Services & NTP

ip domain-name networkwizkid.com
ip domain lookup
ip name server 8.8.8.8
ntp server 30.1.3.1 <-- IP address of R12
ntp trusted key 1

Verify Domain Services & NTP

show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~30.1.3.1        188.114.116.1    3    160    256   377  3.000  -6.500  2.839
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.178.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/14 ms

Configure the CA Trustpoint

crypto key generate rsa modulus 4096 label r9.networkwizkid.com
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1
subject-name cn=r10.networkwizkid.com
revocation-check none
rsakeypair r10.networkwizkid.com
hash sha256

Authenticate the Trustpoint & Enroll R10 into R12’s PKI

crypto pki authenticate CA-SERVER

crypto pki enroll CA-SERVER

Verify Issued Certificates on R10

do show crypto pki certificates

------R12 CERTIFICATE IS DISPLAYED AND R9's SIGNED CERTIFICATE------

Configure IPSec VPN Parameters on R10

Configure the ISAKMP Policy

crypto isakmp policy 5
 hash sha256
crypto isakmp profile ISAKMP-PROFILE
   match certificate IKEV2-CERT-MAP

Configure the IPSec Transform-set

crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac
 mode tunnel

Configure the IPSec Profile

crypto ipsec profile IPSEC-PROFILE
 set transform-set TRANSFORM-SET
 set isakmp-profile ISAKMP-PROFILE

Configure ACL for Interesting Traffic

ip access-list extended CRYPTO-ACL
 permit ip host 40.0.2.1 host 40.0.1.1 log

Configure the Crypto Map

crypto map CRYPTO-MAP 10 ipsec-isakmp
 set peer 30.1.1.2
 set transform-set TRANSFORM-SET
 set isakmp-profile ISAKMP-PROFILE
 match address CRYPTO-ACL

Apply Crypto Map to External Facing Interface

int g1
crypto map CRYPTO-MAP

Verify Site-to-Site IPsec VPN

Verify Reachability to R10 via VPN

R9#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
R9#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

Verify ISAKMP SA on R9

R9#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

43123 30.1.1.2        30.1.2.2               ACTIVE des  sha256 rsig 1  07:57:53
       Engine-id:Conn-id =  SW:1123

IPv6 Crypto ISAKMP SA

R9#show crypto isakmp peers
Peer: 30.1.2.2 Port: 500 Local: 30.1.1.2
 Phase1 id: R10.networkwizkid.com

Verify IPSec SA on R9

R9#show crypto ipsec sa

interface: GigabitEthernet1
    Crypto map tag: CRYPTO-MAP, local addr 30.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (40.0.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (40.0.2.1/255.255.255.255/0/0)
   current_peer 30.1.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.1.1.2, remote crypto endpt.: 30.1.2.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xA2F4612C(2733924652)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3ED1C05C(1053933660)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2805, flow_id: CSR:805, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607998/2272)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA2F4612C(2733924652)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2806, flow_id: CSR:806, sibling_flags FFFFFFFF80004048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607999/2272)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Verify Reachability to R10 via VPN

R10#ping 40.0.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Verify ISAKMP SA on R10

R10#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

43121 30.1.2.2        30.1.1.2               ACTIVE des  sha256 rsig 1 23:33:20
       Engine-id:Conn-id =  SW:1121

IPv6 Crypto ISAKMP SA

R10#show crypto isakmp peers
Peer: 30.1.1.2 Port: 500 Local: 30.1.2.2
 Phase1 id: R9.networkwizkid.com

Verify IPSec SA on R10

R10#show crypto ipsec sa

interface: GigabitEthernet1
    Crypto map tag: CRYPTO-MAP, local addr 30.1.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (40.0.2.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (40.0.1.1/255.255.255.255/0/0)
   current_peer 30.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 42, #pkts encrypt: 42, #pkts digest: 42
    #pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.1.2.2, remote crypto endpt.: 30.1.1.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x3ED1C05C(1053933660)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xA2F4612C(2733924652)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2811, flow_id: CSR:811, sibling_flags FFFFFFFF80000048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607998/1935)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3ED1C05C(1053933660)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 2812, flow_id: CSR:812, sibling_flags FFFFFFFF80000048, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4607999/1935)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply