Site-to-Site FlexVPN Lab 2: static tunnel + RSA key within PKI

Lab Introduction This is the second lab in my site-to-site FlexVPN series. Different from Lab 1 with PSK authentication (ref.Site-to-Site FlexVPN Lab

DMVPN Phase 3 (spoke-to-spoke) Point-to-Multipoint OSPF
Multicast over Encrypted DMVPN
GNS3 上安装CSR1000v

Lab Introduction

This is the second lab in my site-to-site FlexVPN series. Different from Lab 1 with PSK authentication (ref.Site-to-Site FlexVPN Lab 1: static tunnel + pre-shared key), Lab 2 deploys RSA certificate to authenticate FlexVPN peers.

Lab topology is as below. Only HUB1 and SPOKE1 are used in this lab. HUB2 are NOT required in this lab.

HUB1 functions as certificate authority (CA). SPOKE1 requests certificate from HUB1.

NTP points to external NTP server. NTP synchronisation is important in this lab due to certificate requirement.

FlexVPN_site

RSA PKI

Here is quick refresher on RSA and PKI:

Certificate Authority (CA): In PKI, CA responds to device certificate requests and issues certificates accordingly. It provides a centralised key management mechanism – keys/certificates issued by CA will be trusted by receivers. Initially CA creates self-signed CA certificate before it can accept device certificate enrolment requests. In the lab, you will notice HUB1(CA) automatically generate a self-signed certificate upon being configured as CA.

RSA: RSA key pair consists of a pubic key and private key. The public key will be included in the certificate enrolment request. In the lab, there is a step to confirm CA’s public key. The issued certificate will include the public key. FlexVPN peers will use the both-known public key and self-known private key to encrypt and decrypt messages.

Reference:

Interface Configuration

CSR-HUB1

g3: 200.1.13.1/24
Tunnel 0: 10.1.13.1/24
MGMT: 192.168.1.91/24

CSR-SPOKE1

g3: 200.1.13.3/24
Tunnel0: 10.1.13.3/24
MGMT: 192.168.1.93/24

CSR-HUB1 Configuration

Step 1 – Configure CA server

Step 2 – Configure trustpoint

Step 3 – Authenticate CA

Step 4 – Send certificate enrollment request to CA

HUB1 should have the following two certificates by now:

Step 5 – Configure PSK on HUB1

# we will use mixed authentication in this lab. When SPOKE connects to HUB, HUB will use RSA to authentication locally; when HUB connects to SPOKE, SPOKE will use PSK to authenticate locally.

Step 6 – Configure IKEv2 profile on HUB1

Step 7 – Apply IKEv2 profile to IPSec profile, so that when IPSec profile is applied on interface the designated IKEv2 profile will be executed

Step 8 – Apply IPSec profile on tunnel interface to encrypt

CSR-SPOKE1 Configuration

Step 1 – Configure trustpoint

Step 2 – Authenticate CA

Step 3 – Send certificate enrollment request to CA

Step 4 – Configure PSK

Please refer to HUB1 and configure correspondingly.

Step 5 – Configure IKEv2 profile

Step 6 – Apply IKEv2 profile to IPSec profile, so that when IPSec profile is applied on interface the designated IKEv2 profile will be executed

Please refer to HUB1 and configure correspondingly.

Step 7 – Apply IPSec profile on tunnel interface to encrypt

Please refer to HUB1 and configure correspondingly.

Verification

COMMENTS

WORDPRESS: 1
  • comment-avatar

    Great article. It works fine with standard GNS3 (no need for CSR 1000V), but using a different CA Server with different IOS (supporting PKI Server). I will make an article in my web as a tribute to this page.

  • DISQUS: 0