How to Configure IOS Site to Site VPN with RSA Signature IOS CA
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
ISP
interface s0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int s0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
R1
R1# ping 192.168.101.1
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
#!!!!!
#Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1# ping 102.1.1.100
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
#!!!!!
#Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/72 ms
R2
R2# ping 192.168.102.1
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
#!!!!!
#Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R2#ping 101.1.1.100
#Type escape sequence to abort.
#Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
#!!!!!
#Success rate is 100 percent (5/5), round-trip min/avg/max = 1/21/60 ms
ISP
ISP# clock set 14:35:00 18 jan 2016
ISP(config)# ntp master
ISP(config)# crypto key generate rsa general-keys exportable label shiva
#The name for the keys will be: shiva
#Choose the size of the key modulus in the range of 360 to 2048 for your
#General Purpose Keys. Choosing a key modulus greater than 512 may take
#a few minutes.
#How many bits in the modulus [512]: 1024
#% Generating 1024 bit RSA keys, keys will be exportable...[OK]
ISP(config)# Jan 18 14:35:34.839: %SSH-5-ENABLED: SSH 1.99 has been enabled
#ISP(config)#crypto key export rsa shiva pem url nvram: 3des cisco1234
#% Key name: shiva
#Usage: General Purpose Key
#Exporting public key...
#Destination filename [shiva.pub]?
#Writing file to nvram:shiva.pub
#Exporting private key...
#Destination filename [shiva.prv]?
#Writing file to nvram:shiva.prv
ISP(config)# ip http server
ISP(config)# crypto pki server trainonic
ISP(cs-server)# database level minimum
ISP(cs-server)# database url nvram:
#% Server database url was changed. You need to move the
#% existing database to the new location.
ISP(cs-server)# issuer-name cn=trainonic.tranonic.com l=pune c=in
ISP(cs-server)# lifetime certificate 365
ISP(cs-server)# grant auto
ISP(cs-server)# no shutdown
#Jan 18 14:37:43.371: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
ISP(cs-server)#no shutdown
#%Some server settings cannot be changed after CA certificate generation.
#% Please enter a passphrase to protect the private key
#% or type Return to exit
#Password: 999999999
#Re-enter password: 999999999
#% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
#% Exporting Certificate Server signing certificate and keys...
#% Certificate Server enabled.
#ISP(cs-server)# Jan 18 14:37:55.311: %PKI-6-CS_ENABLED: Certificate server now enabled.
#ISP#sh crypto pki server
#Certificate Server trainonic:
#Status: enabled
#State: enabled
#Server's configuration is locked (enter "shut" to unlock it)
#Issuer name: cn=trainonic.tranonic.com l=pune c=in
#CA cert fingerprint: AF6739AB E9C0F8F7 025FC2F3 27E482F5
#Granting mode is: auto
#Last certificate issued serial number: 0x1
#CA certificate expiration timer: 14:37:54 UTC Jan 17 2019
#CRL NextUpdate timer: 20:37:55 UTC Jan 18 2016
#Current primary storage dir: nvram:
#Database Level: Minimum - no cert data written to storage
R1
R1(config)# ntp server 101.1.1.1
R2
R2(config)#ntp server 101.1.1.1
R1
R1(config)# crypto ca trustpoint ttt
R1(ca-trustpoint)# enrollment url http://101.1.1.1
R1(ca-trustpoint)# exit
R1(config)# crypto ca authenticate ttt
#Certificate has the following attributes:
#Fingerprint MD5: AF6739AB E9C0F8F7 025FC2F3 27E482F5
#Fingerprint SHA1: 3284C01C 16F29DE9 46168C1F D9B77DCA 100AC899
#% Do you accept this certificate? [yes/no]: yes
#Trustpoint CA certificate accepted.
#R1(config)#crypto ca enroll ttt
#%
#% Start certificate enrollment ..
#% Create a challenge password. You will need to verbally provide this
#password to the CA Administrator in order to revoke your certificate.
#For security reasons your password will not be saved in the configuration.
#Please make a note of it.
#Password: Jan 18 14:40:41.754: RSA key size needs to be atleast 768 bits for ssh version 2
#Jan 18 14:40:41.762: %SSH-5-ENABLED: SSH 1.5 has been enabled
#Re-enter password: Jan 18 14:40:41.766: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
#% The subject name in the certificate will include: R1.lab.local
#% Include the router serial number in the subject name? [yes/no]: no
#% Include an IP address in the subject name? [no]: no
#Request certificate from CA? [yes/no]: yes
#% Certificate request sent to Certificate Authority
#% The 'show crypto ca certificate ttt verbose' commandwill show the fingerprint.
#R1(config)#
#Jan 18 14:40:47.434: CRYPTO_PKI: Certificate Request Fingerprint MD5: F5481D75 64EE2063 D74E65CB 9BBB71D0
#Jan 18 14:40:47.434: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 5CFCE3C9 A7465BC2 8F564692 8409365D 8F1F30B6
#R1(config)#
#Jan 18 14:40:48.994: %PKI-6-CERTRET: Certificate received from Certificate Authority
R2
R2(config)# crypto ca trustpoint ttt
R2(ca-trustpoint)# enrollment url http://101.1.1.1
R2(ca-trustpoint)# exit
R2(config)# crypto ca authenticate ttt
#Certificate has the following attributes:
#Fingerprint MD5: AF6739AB E9C0F8F7 025FC2F3 27E482F5
#Fingerprint SHA1: 3284C01C 16F29DE9 46168C1F D9B77DCA 100AC899
#% Do you accept this certificate? [yes/no]: yes
#Trustpoint CA certificate accepted.
#R2(config)#crypto ca enroll ttt
#%
#% Start certificate enrollment ..
#% Create a challenge password. You will need to verbally provide this
#password to the CA Administrator in order to revoke your certificate.
#For security reasons your password will not be saved in the configuration.
#Please make a note of it.
#Password: Jan 18 14:50:58.472: RSA key size needs to be atleast 768 bits for ssh version 2
#Jan 18 14:50:58.484: %SSH-5-ENABLED: SSH 1.5 has been enabled
#Re-enter password: % The subject name in the certificate will include: R2.lab.local
#% Include the router serial number in the subject name? [yes/no]:
#Jan 18 14:50:58.484: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
#% Include an IP address in the subject name? [no]: n
#Request certificate from CA? [yes/no]: yes
#% Certificate request sent to Certificate Authority
#% The 'show crypto ca certificate ttt verbose' commandwill show the fingerprint.
#R2(config)# Jan 18 14:51:02.371: CRYPTO_PKI: Certificate Request Fingerprint MD5: 9FF644E8 5D68CC49 B63885CA FD1050F7
#Jan 18 14:51:02.371: CRYPTO_PKI: Certificate Request Fingerprint SHA1: A9F73C2F 674E6BF0 950AD55B 563AD24F 62513774
#R2(config)# Jan 18 14:51:04.975: %PKI-6-CERTRET: Certificate received from Certificate Authority
R1
R1#sh crypto ca certificates
#Certificate
#Status: Available
#Certificate Serial Number: 0x2
#Certificate Usage: General Purpose
#Issuer:
#cn=trainonic.tranonic.com l\=pune c\=in
#Subject:
#Name: R1.lab.local
#hostname=R1.lab.local
#Validity Date:
#start date: 14:40:48 UTC Jan 18 2016
#end date: 14:40:48 UTC Jan 17 2017
#Associated Trustpoints: ttt
#CA Certificate
#Status: Available
#Certificate Serial Number: 0x1
#Certificate Usage: Signature
#Issuer:
#cn=trainonic.tranonic.com l\=pune c\=in
#Subject:
#cn=trainonic.tranonic.com l\=pune c\=in
#Validity Date:
#start date: 14:37:54 UTC Jan 18 2016
#end date: 14:37:54 UTC Jan 17 2019
#Associated Trustpoints: ttt
R2
R2#sh crypto ca certificates
#Certificate
#Status: Available
#Certificate Serial Number: 0x3
#Certificate Usage: General Purpose
#Issuer:
#cn=trainonic.tranonic.com l\=pune c\=in
#Subject:
#Name: R2.lab.local
#hostname=R2.lab.local
#Validity Date:
#start date: 14:51:04 UTC Jan 18 2016
#end date: 14:51:04 UTC Jan 17 2017
#Associated Trustpoints: ttt
#CA Certificate
#Status: Available
#Certificate Serial Number: 0x1
#Certificate Usage: Signature
#Issuer:
#cn=trainonic.tranonic.com l\=pune c\=in
#Subject:
#cn=trainonic.tranonic.com l\=pune c\=
#Validity Date:
#start date: 14:37:54 UTC Jan 18 2016
#end date: 14:37:54 UTC Jan 17 2019
#Associated Trustpoints: ttt
R1
crypto isakmp policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
exit
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
mode tunnel
exit
crypto ipsec profile shiva
set transform-set t-set
int t0
ip add 192.168.1.1 255.255.255.0
tunnel source serial 0/0
tunnel destination 102.1.1.100
tunnel mode ipsec ipv4
tunnel protection ipsec profile shiva
R2
crypto isakmp policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
exit
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
mode tunnel
exit
crypto ipsec profile shiva
set transform-set t-set
int t0
ip add 192.168.1.2 255.255.255.0
tunnel source s0/0
tunnel destination 101.1.1.100
tunnel mode ipsec ipv4
tunnel protection ipsec profile shiva
R1
R1(config)#router eigrp 100
R1(config-router)#no auto
R1(config-router)#network 192.168.0.0 0.0.255.255
R2
R2(config-if)#router eigrp 100
R2(config-router)# no auto
R2(config-router)# network 192.168.0.0 0.0.255.255
R2#sh ip eigrp neighbors
#IP-EIGRP neighbors for process 100
#H Address Interface Hold Uptime SRTT RTO Q Seq
#(sec) (ms) Cnt Num
#0 192.168.1.1 Tu0 10 00:00:37 89 5000 0 3
R2#sh ip route eigrp
#D 192.168.101.0/24 [90/297270016] via 192.168.1.1, 00:00:38, Tunnel0
R1
R1#sh ip eigrp neighbors
#IP-EIGRP neighbors for process 100
#H Address Interface Hold Uptime SRTT RTO Q Seq
#(sec) (ms) Cnt Num
#0 192.168.1.2 Tu0 12 00:00:54 73 5000 0 3
R1#sh ip ro
R1#sh ip route e
R1#sh ip route eigrp
#D 192.168.102.0/24 [90/297270016] via 192.168.1.2, 00:00:56, Tunnel0
R1
R1#ping 192.168.102.1 source fastEthernet 0/0 repeat 100
#Type escape sequence to abort.
#Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
#Packet sent with a source address of 192.168.101.1
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 100 percent (100/100), round-trip min/avg/max = 28/52/92 ms
R1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 101.1.1.100
#protected vrf: (none)
#local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
#remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
#current_peer 102.1.1.100 port 500
#PERMIT, flags={origin_is_acl,}
#pkts encaps: 127, #pkts encrypt: 127, #pkts digest: 127
#pkts decaps: 123, #pkts decrypt: 123, #pkts verify: 123
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.1.1.100, remote crypto endpt.: 102.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xCAF5E37A(3405112186)
inbound esp sas:
spi: 0x44AE3E07(1152269831)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4570691/3464)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCAF5E37A(3405112186)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4570691/3462)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
101.1.1.100 102.1.1.100 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R2
R2# ping 192.168.101.1 source fastEthernet 0/0 repeat 100
#Type escape sequence to abort.
#Sending 100, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
#Packet sent with a source address of 192.168.102.1
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 100 percent (100/100), round-trip min/avg/max = 24/50/76 ms
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
101.1.1.100 102.1.1.100 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 102.1.1.100
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 101.1.1.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 239, #pkts encrypt: 239, #pkts digest: 239
#pkts decaps: 244, #pkts decrypt: 244, #pkts verify: 244
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x44AE3E07(1152269831)
inbound esp sas:
spi: 0xCAF5E37A(3405112186)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4521958/3388)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x44AE3E07(1152269831)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4521958/3386)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Great notes. only need to read it carefully.
Thanks alot for this, i spent 3 days trying to find a config that works.