IOS Site-Site VPN Conf with RSA Signature Microsoft CA Server 2003

by | Aug 20, 2016 | Uncategorized | 0 comments

IOS Site-Site VPN Conf with RSA Signature Microsoft CA Server 2003

R1

interface fastEthernet 0/0 
no shutdown 
ip add 192.168.101.1 255.255.255.0 
no shutdown 
int s0/0 
no shutdown 
ip add 101.1.1.100 255.255.255.0 
no shutdown 
ip route 0.0.0.0 0.0.0.0 101.1.1.1 
ISP interface s0/0 
no shutdown 
ip add 101.1.1.1 255.255.255.0 
no shutdown 
int s0/1 
no shutdown 
ip add 102.1.1.1 255.255.255.0 
no shutdown 
int f0/0 
no shutdown 
ip add 192.168.105.1 255.255.255.0 
no shutdown

R2

interface fastEthernet 0/0 
no shutdown 
ip add 192.168.102.1 255.255.255.0 
no shutdown 
int s0/0 
no shutdown 
ip add 102.1.1.100 255.255.255.0 
no shutdown 
ip route 0.0.0.0 0.0.0.0 102.1.1.1

R1

R1# ping 192.168.101.1 
#Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.101.1, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
 
R1#ping 192.168.105.100 

#Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.105.100, timeout is 2 seconds:
#.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 8/14/24 ms 

R1# ping 102.1.1.100 

#Type #escape sequence to abort. Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds: 
#!!!!!
#Success rate is 100 percent (5/5), round-trip min/avg/max = 4/18/44 ms

R2

R2# ping 192.168.102.1 
#Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.102.1, 
#timeout is 2 seconds: !!!!! #Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 4/4/4 ms 

R2#ping 192.168.105.100

#Type #escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.105.100, timeout is 2 seconds: 
#!!!!! Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 8/12/20 ms 

R2#ping 101.1.1.100 

#Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 101.1.1.100, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 1/14/44 ms 
#ISP ISP#clock set 15:43:45 18 jan #2016 ISP(config)#ntp master 

R1(config)# ntp server 101.1.1.1 
R2(config)# ntp server 101.1.1.1
 
R1#sh #clock 15:44:39.428 UTC Mon Jan 18 2016 
R2#sh clock 15:44:43.644 UTC Mon Jan 18 2016 
#R1 crypto ca trustpoint #ttt enrollment 
#url http://192.168.105.100/certsrv/mscep/mscep.dll revocation-check none exit
 
R1(config)# crypto ca authenticate ttt 
#Certificate has the following attributes: Fingerprint MD5: C0952B98 #E5B8A10A A233B5A6 48DEE923 Fingerprint SHA1: D6238A4D CFC01F9F C2B23404 5E30B345 A7668E19 % 
#Do you accept #this certificate? [yes/no]: yes 
#Trustpoint CA certificate accepted. 

R1(config)# crypto ca enroll ttt % % #Start certificate enrollment .. % 
#Create a challenge password. 
#You will need to verbally provide this #password 
#to the CA Administrator in order to revoke your certificate. 
#For security reasons your password #will not be saved in the configuration. 
#Please make a note of it. Password: 05287B6712D04F84 
#Jan 18 15:45:48.729: RSA key size needs to be atleast 768 bits for ssh version 2 
#Jan 18 15:45:48.741: %SSH-5-#ENABLED: SSH 1.5 has been enabled 
#Jan 18 15:45:48.745: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair 
#Re-enter password: 05287B6712D04F84 % The subject name in the certificate will include: 
#R1.lab.local % #Include the router serial number in the subject name? [yes/no]: 
#n % Include an IP address in the subject #name? [no]: n Request certificate from CA? [yes/no]: yes % #Certificate request sent to Certificate #Authority % 
#The 'show crypto ca certificate ttt verbose' commandwill show the fingerprint. 
#R1(config)# Jan #18 15:46:45.774: CRYPTO_PKI: Certificate Request Fingerprint MD5: 9183CBF5 AAF82FA0 #3988E942 A484CBFF Jan #18 15:46:45.782: CRYPTO_PKI: Certificate Request Fingerprint SHA1: F5C0FD62 DF75A859 #E311818A AD8E1690 #B54D6D6C R1(config)# Jan 18 15:46:48.098: %PKI-6-CERTRET: Certificate received from Certificate Authority #Obtain OTP from 

RSA Signature #Microsoft CA Server 2003

R1#sh crypto ca certificates Certificate Status: 
#Available Certificate Serial Number: 0x6108AC93000000000004 
#Certificate Usage: General Purpose Issuer: #cn=CA 
#Subject: Name: R1.lab.local hostname=R1.lab.local CRL 
#Distribution Points: #http://ca/CertEnroll/CA.crl 
#Validity Date: start date: 10:06:45 UTC Jan 18 2016 
#end date: 10:16:45 UTC Jan #18 2017 
#Associated Trustpoints: ttt 
#CA Certificate Status: Available Certificate 
#Serial Number: #0x7DF36B80B94A57814E744D2283267CA4 
#Certificate Usage: Signature Issuer: cn=CA 
#Subject: cn=CA CRL 
#Distribution Points: http://ca/CertEnroll/CA.crl 
#Validity Date: start date: 09:45:09 UTC Jan 18 2016 
#end date: 09:54:59 UTC Jan 18 2021 
#Associated Trustpoints: ttt R2 crypto ca trustpoint ttt enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll 
#revocation-check none exit R2(config)#crypto ca authenticate #ttt Certificate has the following attributes: #Fingerprint MD5: C0952B98 E5B8A10A A233B5A6 48DEE923 
#Fingerprint SHA1: D6238A4D CFC01F9F C2B23404 5E30B345 #A7668E19 % Do you accept this certificate? [yes/no]: #yes Trustpoint CA certificate accepted. R2(config)#crypto ca enroll ttt % % Start certificate enrollment .. #% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. 
#For security reasons your password will not be saved in the #configuration. 
#Please make a note of it. Password: Jan 18 15:54:14.652: 
#RSA key size needs to be atleast #768 bits for ssh version 2 
#Jan 18 15:54:14.660: %SSH-5-ENABLED: 
#SSH 1.5 has been enabled Jan 18 #15:54:14.664: 
#%CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: % 
#The subject name in #the certificate will include: R2.lab.local % 
#Include the router serial number in the subject name? #[yes/no]: n % 
#Include an IP address in the subject name? [no]: n Request certificate from CA? [yes/no]: yes 
#% Certificate request sent to Certificate Authority % 
#The 'show crypto ca certificate ttt verbose' #commandwill show the fingerprint. 
#R2(config)# Jan 18 15:54:36.721: CRYPTO_PKI: Certificate Request 
#Fingerprint MD5: 9059692A 18DB2D9A 8E6BA1D0 E7C91B2D Jan 18 15:54:36.729: 
#CRYPTO_PKI: Certificate Request 
#Fingerprint SHA1: 532D69C7 3220722D B82FA9A0 1BC02403 8B78A018 
#R2(config)# Jan 18 15:54:39.025: %PKI-6-#CERTRET: Certificate received from Certificate Authority 
#R2#sh crypto ca certificates 
#Certificate Status: Available 
#Certificate Serial Number: 0x610FDC04000000000005 
#Certificate Usage: General Purpose 
#Issuer cn=CA 
#Subject: Name: R2.lab.local hostname=R2.lab.local CRL 
#Distribution Points: http://ca/CertEnroll/CA.crl 
#Validity Date: start date: 10:14:36 UTC Jan 18 2016 
#end date: 10:24:36 UTC Jan 18 2017 Associated 
#Trustpoints: ttt CA Certificate Status: Available #Certificate Serial Number: #0x7DF36B80B94A57814E744D2283267CA4 
#Certificate Usage: Signature 
#Issuer: cn=CA Subject: cn=CA CRL 
#Distribution Points: http://ca/CertEnroll/CA.crl 
#Validity Date: start date: 09:45:09 UTC Jan 18 2016 
#end date: 09:54:59 UTC Jan 18 2021 
#Associated Trustpoints: ttt R1 crypto isakmp policy 1 authentication rsa-sig 
#encryption aes hash sha group 5 
#lifetime 1800 
#exit crypto 
#ipsec transform-set t-set esp-aes esp-sha-hmac 
#mode tunnel exit 
#crypto ipsec profile shiva 
#set transform-set t-set int t0 
#ip add 192.168.1.1 255.255.255.0 
#tunnel source serial 0/0 
#tunnel destination 102.1.1.100 
#tunnel mode ipsec ipv4 
#tunnel protection ipsec 
#profile shiva R2 crypto isakmp policy 1 
#authentication rsa-sig encryption aes 
#hash sha group 5 
#lifetime #1800 
#exit crypto 
#ipsec transform-set t-set esp-aes esp-sha-hmac 
#mode tunnel exit 
#crypto ipsec profile shiva 
#set transform-set t-set 
#int t0 ip add 192.168.1.2 255.255.255.0 
#tunnel source s0/0 
#tunnel destination #101.1.1.100 
#tunnel mode ipsec ipv4 
#tunnel protection ipsec profile shiva 
#R1 int t0 ip ospf 100 area 0 
#int #f0/0 ip ospf 100 area 0 
#R2 int t0 ip ospf 100 area 0 
#int f0/0 ip ospf 100 area 0 
#R1#sh ip ospf neighbor 
#Neighbor ID Pri State Dead Time Address Interface 192.168.102.1 0 FULL/ - 00:00:39 192.168.1.2 Tunnel0
#R1#sh ip route ospf O 192.168.102.0/24 [110/11121] via 192.168.1.2, 00:00:08, 
#Tunnel0 R2#sh ip route ospf O 192.168.101.0/24 [110/11121] via 192.168.1.1, 00:00:52,
#Tunnel0 R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.101.1 0 FULL/ - 
#00:00:38 192.168.1.1 Tunnel0 R1 R1#ping 192.168.102.1 source fastEthernet 0/0 repeat 100 Type escape 
#sequence to abort. Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds: Packet sent
#with a source address of 192.168.101.1 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
#Success rate is 100 percent (100/100), 
#round-trip min/avg/max = 40/54/72 ms 
#R1#sh crypto ipsec sa interface: Tunnel0 
#Crypto map tag: Tunnel0-head-0, 
#local addr 101.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) 
#remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) 
#current_peer 102.1.1.100 port 500 PERMIT, flags={origin_is_acl,} 
#pkts encaps: 119, #pkts encrypt: 119, #pkts digest: 119 #pkts decaps: 117, 
#pkts decrypt: 117, #pkts verify: 117 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0,
#pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
#local crypto endpt.: 101.1.1.100, #remote crypto endpt.: 102.1.1.100 path mtu 1500, ip mtu 1500, ip mtu idb
#Serial0/0 current outbound spi: 0x3D1AA06C(1025155180) inbound esp sas: spi: 0xC5C37F5(207370229)
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, crypto map:
#Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4479465/3459) IV size: 16 bytes replay detection
#support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x3D1AA06C(1025155180)
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, crypto map: 
#Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4479464/3458) IV size: 16 bytes replay detection 
#support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA
#dst src state conn-id slot status 101.1.1.100 102.1.1.100 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA R2 
#R2#ping 192.168.101.1 source fastEthernet 0/0 repeat 100 
#Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 192.168.101.1, 
#timeout is 2 seconds: Packet sent with a source address of 192.168.102.1 
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
#Success rate is 100 percent (100/100), 
#round-trip min/avg/max = 44/54/72 ms 
#R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 101.1.1.100 102.1.1.100
#QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA R2#sh crypto ipsec sa interface: Tunnel0 Crypto map tag:
#Tunnel0-head-0, local addr 102.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): 
#(0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 101.1.1.100 
#port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 221, #pkts encrypt: 221, #pkts digest: 221 #pkts 
#decaps: 223, #pkts decrypt: 223, #pkts verify: 223 #pkts compressed: 0, #pkts decompressed: 0 #pkts not 
#compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, 
#recv errors 0 local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100 path mtu 1500, ip mtu 
#1500, ip mtu idb Serial0/0 current outbound spi: 0xC5C37F5(207370229) inbound esp sas: spi: 
#0x3D1AA06C(1025155180) transform: esp-aes esp-sha-hmac

I-Medita

I-Medita is an ISO 9001:2015 certified Professional Training Company. I-Medita is India's Most Trusted Networking Training Company. We help in providing industry oriented skill training to networking enthusiasts and professionals to kick-start their career in Networking domains. Our efforts are to keep momentum with the Industry technological demands and diversifying universe of knowledge.
Register for Free Demo Session