Cisco IPSec stuff
ISAKMP associations using RSA keys
more detailed: http://packetlife.net/blog/2009/jan/14/isakmp-associations-using-rsa-keys/
R1(config)# crypto key generate rsa general-keys label R1 The name for the keys will be: R1 Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: <cr> % Generating 512 bit RSA keys, keys will be non-exportable...[OK]
h part-of-config-example
crypto key pubkey-chain rsa addressed-key 10.0.23.3 encryption address 10.0.23.3 key-string ! #################################################### ! # Replace this with the public key generated on R3 # ! #################################################### ! 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B6CAA3 400F6DA9 ! 1D1D6553 3A272A70 A713D69B CA790F74 7D067215 4E2DEDC8 4A59F8A6 F849C422 ! 8D7FCEBE 0D1E4D73 6541A85D 899D4208 EB176BB6 3125C290 63020301 0001 quit ! ! ! crypto isakmp policy 10 encr aes authentication rsa-encr ! ! crypto ipsec transform-set MyTransformSet ah-sha-hmac esp-aes ! crypto ipsec profile MyProfile set transform-set MyTransformSet ! ! ! ! ! ! interface Tunnel0 ip address 172.16.0.1 255.255.255.252 tunnel source 10.0.12.1 tunnel destination 10.0.23.3 tunnel protection ipsec profile MyProfile !
Cisco IOS VPN Configuration Scenario 1: Gateway-to-gateway with preshared secrets The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication. 10.5.6.0/24 172.23.9.0/24 | | --| |-- | +-----------+ /-^-^-^-^--\ +-----------+ | |-----| Gateway A |=====| Internet |=====| Gateway B |-----| | AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL | --| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |-- | | Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A. The IKE Phase 1 parameters used in Scenario 1 are: * Main mode * TripleDES * SHA-1 * MODP group 2 (1024 bits) * pre-shared secret of "hr5xb84l6aa9r6" * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are: * TripleDES * SHA-1 * ESP tunnel mode * MODP group 2 (1024 bits) * Perfect forward secrecy for rekeying * SA lifetime of 3600 seconds (one hour) with no kbytes rekeying * Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets To set up Gateway A for this scenario, use the following steps: Cisco IOS includes IPSec support, beginning with early versions of IOS Version 12; however the commands have changed during the evolution of IOS Version 12 point releases. The following example uses the current release version, Cisco IOS Version 12.2(8)T4. This example uses a Cisco 1700 series router, which has one ethernet port and one serial port. The ethernet port, FastEthernet0, will be the outside, or Internet-facing interface. The serial port, Serial0, will be the inside interface. (This is just an example. Your interfaces may be different.) All configuration changes are volatile, and immediate, until the "write" command is executed, when the configuration is saved to flash and will be reloaded after a reboot. At any time, you may examine the running configuration with the command "show running-configuration", or view the saved configuration with the command "show config". Most commands can be abbreviated. Use a ? at the prompt or in a command to see options. Configure IP on the interfaces: Router# config term Enter configuration commands, one per line. End with CNTL/Z. Router(config)# int fa0 Router(config-if)# ip address 14.15.16.17 255.255.255.0 Router(config-if)# speed auto Router(config-if)# ^Z Router# config term Enter configuration commands, one per line. End with CNTL/Z. Router(config)# int ser0 Router(config-if)# ip address 10.5.6.1 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# ^Z Router# Define the default route: Router# config term Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1 Router(config)# exit Cisco supports only one IKE policy per router, so you must design one which is acceptable to all systems you are going to interoperate with. Assign it an ordering number of 5. If you wanted to have more than one proposal in the policy, the proposals would be given in order defined by this policy order number. Configure the IKE Policy: Router# config term Router(config)# crypto isakmp policy 5 Router(config-isakmp)# encryption 3des Router(config-isakmp)# group 2 Router(config-isakmp)# hash sha Router(config-isakmp)# lifetime 28800 Router(config-isakmp)# authentication pre-share Router(config-isakmp)# exit Since multiple peers will share the same IKE policy, you must match each peer with its pre-shared secret: Router# config term Router(config)# crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25 Router(config-isakmp)# exit The IPSEC transform will be combined later with the rest of the IPSEC policy in a crypto map command. In this command, "STRONG" is just a label. Labels are CASE-SENSITIVE. Define the IPSEC transform: Router# config term Router(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmac Router(config-isakmp)# exit Cisco IOS uses access lists for SPD entries. Many features of access lists (.e.g. TCP flag checking) don't work in IPSEC. This kind of access list MUST be labelled with a 3-digit number. The netmask in Cisco access lists are inverted. Nobody knows why, they just are. This list says "all traffic from 10.5.6.0/24 to 172.23.9.0/24, all ports, all IP protocols". Create the IPSEC access list: Router# config term Enter configuration commands, one per line. End with CNTL/Z. Router(config)# access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255 Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1 Router(config)# exit Because IOS is a router first and an IPSEC gateway second, we have to tell IOS which interface to send packets on if the default route is not enough. In this scenario we don't need it, but in other situations you might need to define a route for the remote protected network: Router# config term Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.17 Router(config)# exit A crypto map binds all the assorted crypto parameters with a specific remote gateway. Several crypto maps bound to different remote gateways can be grouped together in one crypto map SET which is then bound to an outgoing interface. The number following the crypto map set name is the ordering of the map in the set. Bind the policy together with a crypto map, and give it the label CISCO: Router# config term Router(config)# crypto map CISCO 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router(config-crypto-map)# set security-association life seconds 3600 Router(config-crypto-map)# set transform-set STRONG Router(config-crypto-map)# set pfs group2 Router(config-crypto-map)# set peer 22.23.24.25 Router(config-crypto-map)# match address 101 Router(config-crypto-map)# exit Because Ciscos could have many interfaces, you have to bind the SPD to the outgoing interface: Router# config term Router(config)# interface fa0 Router(config-if)# crypto map CISCO Router(config-if)# ^Z If you had multiple tunnels to multiple gateways, you would need to create a different access list for each tunnel, add an isakmp key entry for each gateway, and possibly create a different ipsec transform if your security policy is different. For example, let's say you have another remote peer at 23.23.24.25, for which you have created access-list 102. You could then add a crypto map to the set created above: Router# config term Router(config)# crypto map CISCO 20 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router(config-crypto-map)# set security-association life seconds 3600 Router(config-crypto-map)# set transform-set STRONG Router(config-crypto-map)# set pfs group2 Router(config-crypto-map)# set peer 23.23.24.25 Router(config-crypto-map)# match address 102 Router(config-crypto-map)# exit Now the outgoing interface FastEthernet0 has both crypto maps, and it will compare traffic to each map in order to determine if the traffic requires encryption. Save the configuration: Router# write Building configuration... [OK] Here is the completed IPSEC part of the Cisco configuration: Router# show config ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25 ! crypto ipsec transform-set strong esp-3des esp-sha-hmac ! crypto map CISCO 101 ipsec-isakmp set peer 22.23.24.25 set transform-set STRONG set pfs group2 match address 101 ! interface FastEthernet0 ip address 14.15.16.17 255.255.255.0 speed auto crypto map CISCO ! interface Serial0 ip address 10.5.6.1 255.255.255.0 ! access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255 ! Now, bring up a tunnel! The IOS ping command extensions will allow you to select the source interface, and hence IP address, of the ping: Router# ping Protocol [ip]: Target IP address: 172.23.9.10 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: serial0 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.9.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Hmmmm ... what could be wrong? Let's check some basics: Router# show ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0 14.15.16.17 YES manual up up Serial0 10.5.6.1 YES manual down down Ah, the serial interface is down. I have to actually connect it up to something to bring the interface up. Now, the ping works and brings up the SAs. Show the SAs with these commands: Router# show crypto isakmp sa dst src state conn-id slot 14.15.16.17 22.23.24.25 QM_IDLE 1 0 Router# show crypto ipsec sa interface: FastEthernet0 Crypto map tag: CISCO, local addr. 14.15.16.17 local ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.23.9.0/255.255.255.0/0/0) current_peer: 22.23.24.25 PERMIT, flags={origin_is_acl,} # pkts encaps: 12, # pkts encrypt: 12, # pkts digest 12 # pkts decaps: 23, # pkts decrypt: 23, # pkts verify 23 # pkts compressed: 0, # pkts decompressed: 0 # pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0 # send errors 0, # recv errors 0 local crypto endpt.: 14.15.16.17, remote crypto endpt.: 22.23.24.25 path mtu 1500, media mtu 1500 current outbound spi: 3C39A800 inbound esp sas: spi: 0xD7228E4B(3609366091) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: CISCO sa timing: remaining key lifetime (k/sec): (4607999/3574) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x3C39A800(1010411520) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: CISCO sa timing: remaining key lifetime (k/sec): (4607999/3574) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: The easiest way to clear SAs from a Cisco IOS system varies with version, but one of these two will generally work: RouterRouter# clear crypto isakmp RouterRouter# clear crypto sa To enable debugging in IOS, you must turn on the debug as well as turn on the debug monitor, which is normally the terminal you are logged in on: Router# debug crypto verbose Router# debug crypto isakmp Router# term monitor To disable debugging: Router# nodebug all Router# term no monitor