Site-to-Site FlexVPN Lab 2: static tunnel + RSA key within PKI

Lab Introduction This is the second lab in my site-to-site FlexVPN series. Different from Lab 1 with PSK authentication (ref.Site-to-Site FlexVPN Lab

FlexVPN试验(一): 站点间静态隧道 (static tunnel)+预设密钥(PSK)
GNS3 Lab: Connect to Physical LAN and Use Layer3 Switch
DMVPN Phase 3 (spoke-to-spoke) Point-to-Multipoint OSPF

Lab Introduction

This is the second lab in my site-to-site FlexVPN series. Different from Lab 1 with PSK authentication (ref.Site-to-Site FlexVPN Lab 1: static tunnel + pre-shared key), Lab 2 deploys RSA certificate to authenticate FlexVPN peers.

Lab topology is as below. Only HUB1 and SPOKE1 are used in this lab. HUB2 are NOT required in this lab.

HUB1 functions as certificate authority (CA). SPOKE1 requests certificate from HUB1.

NTP points to external NTP server. NTP synchronisation is important in this lab due to certificate requirement.

FlexVPN_site

RSA PKI

Here is quick refresher on RSA and PKI:

Certificate Authority (CA): In PKI, CA responds to device certificate requests and issues certificates accordingly. It provides a centralised key management mechanism – keys/certificates issued by CA will be trusted by receivers. Initially CA creates self-signed CA certificate before it can accept device certificate enrolment requests. In the lab, you will notice HUB1(CA) automatically generate a self-signed certificate upon being configured as CA.

RSA: RSA key pair consists of a pubic key and private key. The public key will be included in the certificate enrolment request. In the lab, there is a step to confirm CA’s public key. The issued certificate will include the public key. FlexVPN peers will use the both-known public key and self-known private key to encrypt and decrypt messages.

Reference:

Interface Configuration

CSR-HUB1

g3: 200.1.13.1/24
Tunnel 0: 10.1.13.1/24
MGMT: 192.168.1.91/24

CSR-SPOKE1

g3: 200.1.13.3/24
Tunnel0: 10.1.13.3/24
MGMT: 192.168.1.93/24

CSR-HUB1 Configuration

Step 1 – Configure CA server

# start HTTP service,certificate enrolment will use Port 80
ip http server
crypto pki server CA
no database archive

# auto grant certificate
grant auto

# define certificate type, i.e. server-network device, client etc. some use case requires extended key usage (eku) to be explicitly stated in certificate.
eku server-auth client-auth
no shut

# the following shows after starting (no shut) CA
CSR-HUB1(cs-server)#no shut
% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
% Password must be more than 7 characters. Try again
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
% Certificate Server enabled.

Step 2 – Configure trustpoint

CSR-HUB1(config)#crypto pki trustpoint S2S-CA
# enroll to itself
CSR-HUB1(ca-trustpoint)#enrollment url http://192.168.1.91:80
CSR-HUB1(ca-trustpoint)#subject-name cn=HUB1,ou=mm.com
CSR-HUB1(ca-trustpoint)#exit

Step 3 – Authenticate CA

# authenticate CA server and accept its public key
CSR-HUB1(config)#crypto pki authenticate S2S-CA
Certificate has the following attributes:
Fingerprint MD5: EAEAB410 9923A004 BD20B9D5 C7DA9B5B
Fingerprint SHA1: BB35A6B8 E9448A78 882EC846 11C1CF4F 714101E3
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

Step 4 – Send certificate enrollment request to CA

CSR-HUB1(config)#crypto pki enroll S2S-CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: cn=HUB1,ou=mm.com
% The subject name in the certificate will include: CSR-HUB1.mm.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose S2S-CA' commandwill show the fingerprint.

HUB1 should have the following two certificates by now:

crypto pki certificate chain S2S-CA
certificate 02
308201D3 3082013C A0030201 02020102 300D0609 2A864886 F70D0101 05050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383436 35375A17
0D313730 31333130 38343635 375A3026 31243022 06092A86 4886F70D 01090216
15435352 2D485542 312E6D65 6E676D65 6E672E63 6F6D305C 300D0609 2A864886
F70D0101 01050003 4B003048 024100B9 31DC0059 CE47FDEE 4659E3F1 268C2AAA
5A9CA291 76997BCF 241ABADF 79430F59 1A5FA1B1 D5D72799 D2CD855F FFDC583B
481DB271 6839B344 E4BC8B0D 6907B102 03010001 A36E306C 301D0603 551D2504
16301406 082B0601 05050703 0106082B 06010505 07030230 0B060355 1D0F0404
030205A0 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF
F7E77420 06301D06 03551D0E 04160414 44BC78AC 81D43368 F6BF1A84 02D213D6
2D254B41 300D0609 2A864886 F70D0101 05050003 81810022 B4919090 0AD0A2FE
71F0B544 4AD2277E BA5B56F0 458028D9 645A21A9 6B2E285C 65249F72 E4F650F5
FB848610 53C1DF09 31752794 D2BD895F 19D72A4E BF38A2DD E1B6819C CA6FEBF2
790E3302 C4C88FFD B6460FC6 1C76E839 2F2420B1 A487A438 B6DD8A4C 0127C576
874190F5 E7DEF49C 93784078 6A8B5124 C6D1C702 5DD7CC
quit

certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17
0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0
C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E
2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494
DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19
2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF
F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7
E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29
B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640
6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7
45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207
D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8
Quit

crypto pki certificate chain CA
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17
0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0
C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E
2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494
DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19
2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF
F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7
E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29
B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640
6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7
45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207
D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8
quit

Step 5 – Configure PSK on HUB1

# we will use mixed authentication in this lab. When SPOKE connects to HUB, HUB will use RSA to authentication locally; when HUB connects to SPOKE, SPOKE will use PSK to authenticate locally.

crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.13.3
pre-shared-key Cisco123

Step 6 – Configure IKEv2 profile on HUB1

crypto ikev2 profile FLEXVPN-Static
match identity remote address 200.1.13.3 255.255.255.255
# when HUB connects to SPOKE, SPOKE will use PSK to authenticate locally. Therefore, HUB will use PSK as remote authentication method.
authentication remote pre-share
# when SPOKE connects to HUB, HUB will use RSA to authenticate locally. Therefore, SPOKE will use RSA as remote authentication method.
authentication local rsa-sig
keyring local mykeys
pki trustpoint S2S-CA
dpd 60 2 on-demand

Step 7 – Apply IKEv2 profile to IPSec profile, so that when IPSec profile is applied on interface the designated IKEv2 profile will be executed

crypto ipsec profile default
set ikev2-profile FLEXVPN-Static

Step 8 – Apply IPSec profile on tunnel interface to encrypt

CSR-HUB1#show run interface tu 0
Building configuration...
Current configuration : 165 bytes
!
interface Tunnel0
ip address 10.1.13.1 255.255.255.0
tunnel source GigabitEthernet3
tunnel destination 200.1.13.3
tunnel protection ipsec profile default
end

CSR-SPOKE1 Configuration

Step 1 – Configure trustpoint

crypto pki trustpoint S2S-CA
# request certificate from HUB1
enrollment url http://192.168.1.91:80
revocation-check none

Step 2 – Authenticate CA

# time must be synchronised with HUB1
crypto pki authenticate S2S-CA

Step 3 – Send certificate enrollment request to CA

crypto pki enroll S2S-CA

Step 4 – Configure PSK

Please refer to HUB1 and configure correspondingly.

Step 5 – Configure IKEv2 profile

crypto ikev2 profile FLEXVPN-Static
match identity remote address 200.1.13.1 255.255.255.255
authentication remote rsa-sig
authentication local pre-share
keyring local mykeys
pki trustpoint S2S-CA
dpd 60 2 on-demand

Step 6 – Apply IKEv2 profile to IPSec profile, so that when IPSec profile is applied on interface the designated IKEv2 profile will be executed

Please refer to HUB1 and configure correspondingly.

Step 7 – Apply IPSec profile on tunnel interface to encrypt

Please refer to HUB1 and configure correspondingly.

Verification

CSR-SPOKE1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local                 Remote               fvrf/ivrf           Status
1         200.1.13.3/500       200.1.13.1/500       none/none           READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA
Life/Active Time: 86400/2710 sec
CE id: 1614, Session-id: 2
Status Description: Negotiation done
Local spi: 13B9D098A68EDB27       Remote spi: 30286D68C2F74D76
Local id: 200.1.13.3
Remote id: 200.1.13.1
Local req msg id: 3             Remote req msg id: 0
Local next msg id: 3             Remote next msg id: 0
Local req queued: 3             Remote req queued: 0
Local window:     5             Remote window:     5
DPD configured for 60 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
IPv6 Crypto IKEv2 SA
CSR-SPOKE1#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 200.1.13.3
protected vrf: (none)
local ident (addr/mask/prot/port): (200.1.13.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.1.13.1/255.255.255.255/47/0)
current_peer 200.1.13.1 port 500
PERMIT, flags={origin_is_acl,}
 #pkts encaps: 650, #pkts encrypt: 650, #pkts digest: 650
   #pkts decaps: 650, #pkts decrypt: 650, #pkts verify: 650
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.1.13.3, remote crypto endpt.: 200.1.13.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0x49CE8E7B(1238273659)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x21CABA55(566934101)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607906/817)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x49CE8E7B(1238273659)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607933/817)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR-SPOKE1# show crypto session
Crypto session current status
Interface: Tunnel0
Profile: FLEXVPN-Static
Session status: UP-ACTIVE    
Peer: 200.1.13.1 port 500
Session ID: 3
IKEv2 SA: local 200.1.13.3/500 remote 200.1.13.1/500 Active
IPSEC FLOW: permit 47 host 200.1.13.3 host 200.1.13.1
       Active SAs: 2, origin: crypto map
CSR-SPOKE1#show ip int br
Tunnel0               10.1.13.3       YES manual up                   up
CSR-SPOKE1#ping 10.1.13.1 source 10.1.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.13.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/16 ms

COMMENTS

WORDPRESS: 1
  • comment-avatar

    Great article. It works fine with standard GNS3 (no need for CSR 1000V), but using a different CA Server with different IOS (supporting PKI Server). I will make an article in my web as a tribute to this page.

  • DISQUS: 2