Studies in VPN:Part 4
IOS to IOS through an ASA with Digital Certs.
First I set up R1:
r1(config)#ip domain-name internetworkexpert.com
r1(config)#cry key gen rsa general-keys modulus 1024
The name for the keys will be: r1.internetworkexpert.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys ...[OK]
r1(config)#
Oct 24 06:52:52.114: %SSH-5-ENABLED: SSH 1.5 has been enabledSet the ISAKMP policy of an existing policy to use RSA Sigs:
r1(config)#cry isa pol 10
r1(config-isakmp)#authen rsa-sigNow the fun stuff. Define the trustpoint and enroll.
r1(config)#cry ca trustpoint ca
r1(ca-trustpoint)#enrollment url http://10.0.0.100/certsrv/mscep/mscep.dll
r1(ca-trustpoint)#enrollment mode ra
r1(ca-trustpoint)#crl opt
r1(ca-trustpoint)#ex
r1(config)#cry ca authenti ca
Certificate has the following attributes:
Fingerprint: 4AA0BAAF 2A930A0D 2723EDF9 DC440103
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
r1(config)#cry ca enr ca
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The fully-qualified domain name in the certificate will be: r1.internetworkexpert.com
% The subject name in the certificate will be: r1.internetworkexpert.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.
r1(config)# Fingerprint: A1A5FE03 0DB033D6 B0787141 904ADAAA
Oct 24 06:54:37.703: %SYS-3-CPUHOG: Task ran for 2160 msec (0/0), process = Crypto PKI RECV , PC = 81D8D4A8.
-Traceback= 81D8D4AC 803CE314
r1(config)#the biggest issue with certs is making sure the cert is valid and installed. I use the following command to verify:
! Time is current
r1(config)#do sh clock
06:55:15.044 UTC Fri Oct 24 2008
! Verify the cert is valid
r1#sh cry ca certificates
Certificate
Status: Available
Certificate Serial Number: 617A2510000000000008
Certificate Usage: General Purpose
Issuer:
CN = sc05-aaa
O = "Internetwork Expert
Inc."
L = Reno
ST = NV
C = US
EA = support@internetworkexpert.com
Subject:
Name: r1.internetworkexpert.com
OID.1.2.840.113549.1.9.2 = r1.internetworkexpert.com
CRL Distribution Point:
http://sc05-aaa/CertEnroll/sc05-aaa.crl
Validity Date:
start date: 06:44:35 UTC Oct 24 2008
end date: 06:54:35 UTC Oct 24 2009
renew date: 00:00:00 UTC Jan 1 1970
Associated Trustpoints: ca
CA Certificate
Status: Available
Certificate Serial Number: 77E11069C4DE5BB6451159DAFA708A39
Certificate Usage: Signature
Issuer:
CN = sc05-aaa
O = "Internetwork Expert
Inc."
L = Reno
ST = NV
C = US
EA = support@internetworkexpert.com
Subject:
CN = sc05-aaa
O = "Internetwork Expert
Inc."
L = Reno
ST = NV
C = US
EA = support@internetworkexpert.com
CRL Distribution Point:
http://sc05-aaa/CertEnroll/sc05-aaa.crl
Validity Date:
start date: 12:43:22 UTC Oct 29 2007
end date: 12:53:04 UTC Oct 29 2017
Associated Trustpoints: ca
r1#Now we test and …success!
ping 150.2.2.2 sour l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
Oct 24 07:06:32.961: ISAKMP: received ke message (1/1)
Oct 24 07:06:32.961: ISAKMP (0:0): SA request profile is (NULL)
Oct 24 07:06:32.961: ISAKMP: local port 500, remote port 500
Oct 24 07:06:32.961: ISAKMP: set new node 0 to QM_IDLE
Oct 24 07:06:32.965: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82E7FF94
Oct 24 07:06:32.965: ISAKMP (0:3): Can not start Aggressive mode, trying Main mode.
Oct 24 07:06:32.965: ISAKMP: Looking for a matching key for 136.5.122.2 in default : success
Oct 24 07:06:32.965: ISAKMP (0:3): found peer pre-shared key matching 136.5.122.2
Oct 24 07:06:32.965: ISAKMP (0:3): constructed NAT-T vendor-03 ID
Oct 24 07:06:32.965: ISAKMP (0:3): constructed NAT-T vendor-02 ID
Oct 24 07:06:32.965: ISAKMP (0:3): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 24 07:06:32.965: ISAKMP (0:3): Old State = IKE_READY New State = IKE_I_MM1
Oct 24 07:06:32.965: ISAKMP (0:3): beginning Main Mode exchange
Oct 24 07:06:32.969: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 24 07:06:33.138: ISAKMP (0:3): received packet from 136.5.122.2 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 24 07:06:33.138: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 07:06:33.142: ISAKMP (0:3): Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 24 07:06:33.142: ISAKMP (0:3): processing SA payload. message ID = 0
Oct 24 07:06:33.142: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.142: ISAKMP (0:3): vendor ID seems Unity/DPD but major 157 mismatch
Oct 24 07:06:33.142: ISAKMP (0:3): vendor ID is NAT-T v3
Oct 24 07:06:33.142: ISAKMP : Scanning profiles for xauth ...
Oct 24 07:06:33.142: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 10 policy
Oct 24 07:06:33.146: ISAKMP: encryption 3DES-CBC
Oct 24 07:06:33.146: ISAKMP: hash MD5
Oct 24 07:06:33.146: ISAKMP: default group 1
Oct 24 07:06:33.146: ISAKMP: auth RSA sig
Oct 24 07:06:33.146: ISAKMP: life type. in seconds
Oct 24 07:06:33.146: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 24 07:06:33.146: ISAKMP (0:3): atts are acceptable. Next payload is 0
Oct 24 07:06:33.310: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.310: ISAKMP (0:3): vendor ID seems Unity/DPD but major 157 mismatch
Oct 24 07:06:33.310: ISAKMP (0:3): vendor ID is NAT-T v3
Oct 24 07:06:33.310: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 07:06:33.310: ISAKMP (0:3): Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 24 07:06:33.314: ISAKMP (0:3): constructed HIS NAT-D
Oct 24 07:06:33.314: ISAKMP (0:3): constructed MINE NAT-D
Oct 24 07:06:33.314: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 24 07:06:33.318: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 07:06:33.318: ISAKMP (0:3): Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 24 07:06:33.526: ISAKMP (0:3): received packet from 136.5.122.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 24 07:06:33.526: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 07:06:33.526: ISAKMP (0:3): Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 24 07:06:33.530: ISAKMP (0:3): processing KE payload. message ID = 0
Oct 24 07:06:33.731: ISAKMP (0:3): processing NONCE payload. message ID = 0
Oct 24 07:06:33.735: ISAKMP (0:3): SKEYID state generated
Oct 24 07:06:33.735: ISAKMP (0:3): processing CERT_REQ payload. message ID = 0
Oct 24 07:06:33.735: ISAKMP (0:3): peer wants a CT_X509_SIGNATURE cert
Oct 24 07:06:33.739: ISAKMP (0:3): peer want cert issued by CN = sc05-aaa, O = "Internetwork Expert, Inc.", L = Reno, ST = NV, C = US, EA = support@internetworkexpert.com
Oct 24 07:06:33.7.39: ISAKMP (0:3): Choosing trustpoint ca as default key issuer
Oct 24 07:06:33.739: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.739: ISAKMP (0:3): vendor ID is Unity
Oct 24 07:06:33.739: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.743: ISAKMP (0:3): vendor ID is DPD
Oct 24 07:06:33.743: ISAKMP (0:3): processing vendor id payload
Oct 24 07:06:33.743: ISAKMP (0:3): speaking to another IOS box!
Oct 24 07:06:33.743: ISAKMP:received payload type 17
Oct 24 07:06:33.743: ISAKMP (0:3): Detected NAT-D payload
Oct 24 07:06:33.743: ISAKMP (0:3): NAT match MINE hash
Oct 24 07:06:33.743: ISAKMP:received payload type 17
Oct 24 07:06:33.743: ISAKMP (0:3): Detected NAT-D payload
Oct 24 07:06:33.743: ISAKMP (0:3): NAT match HIS hash
Oct 24 07:06:33.743: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 07:06:33.747: ISAKMP (0:3): Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 24 07:06:33.759: ISAKMP (3): My ID configured as IPv4 Add.r,but Addr not in Cert!
Oct 24 07:06:33.759: ISAKMP (3): Using FQDN as My ID
Oct 24 07:06:33.759: ISAKMP (0:3): SA is doing RSA signature authentication using id type ID_FQDN
Oct 24 07:06:33.763: ISAKMP (3): ID payload
next-payload : 6
type : 2
FQDN name : r1.internetworkexpert.com
protocol : 17
port : 500
length : 29
Oct 24 07:06:33.763: ISAKMP (3): Total payload length: 33
Oct 24 07:06:33.763: ISKAMP: growing send buffer from 1024 to 3072
Oct 24 07:06:33.763: ISAKMP (0:3): using the ca trustpoint's keypair to sign
Oct 24 07:06:34.909: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 24 07:06:34.909: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 07:06:34.909: ISAKMP (0:3): Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 24 07:06:37.421: ISAKMP (0:3): received packet from 136.5.122.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 24 07:06:37.433: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 07:06:37.433: ISAKMP (0:3): Old State = IKE_I_MM5 New State = IKE_I_MM6
Oct 24 07:06:37.433: ISAKMP (0:3): processing ID payload. message ID = 0
Oct 24 07:06:37.433: ISAKMP (3): Process ID payload
type : 2
FQDN name : r2.internetworkexpert.com
protocol : 17
port : 500
length : 25
Oct 24 07:06:37.437: ISAKMP (0:3): processing CERT payload. message ID = 0
Oct 24 07:06:37.437: ISAKMP (0:3): processing a CT_X509_SIGNATURE cert
Oct 24 07:06:37.461: ISAKMP (0:3): peer's pubkey isn't cached
Oct 24 07:06:38.687: ISAKMP (0:3): cert approved with warning
Oct 24 07:06:38.723: ISAKMP (0:3): Cert presented by peer contains no OU field.
Oct 24 07:06:38.747: ISAKMP (0:3): processing SIG pa.!
Success rate is 20 percent (1/5), round-trip min/avg/max = 8/8/8 ms
r1#yload. message ID = 0
Oct 24 07:06:38.747: ISAKMP (3): sa->peer.name = , sa->peer_id.id.id_fqdn.fqdn = r2.internetworkexpert.com
Oct 24 07:06:38.819: ISAKMP (0:3): SA has been authenticated with 136.5.122.2
Oct 24 07:06:38.819: ISAKMP (0:3): peer matches *none* of the profiles
Oct 24 07:06:38.819: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 07:06:38.819: ISAKMP (0:3): Old State = IKE_I_MM6 New State = IKE_I_MM6
Oct 24 07:06:38.819: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 07:06:38.823: ISAKMP (0:3): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Oct 24 07:06:38.823: ISAKMP (0:3): beginning Quick Mode exchange, M-ID of -609653415
Oct 24 07:06:38.827: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 24 07:06:38.827: ISAKMP (0:3): Node -609653415, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 24 07:06:38.827: ISAKMP (0:3): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Oct 24 07:06:38.827: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 24 07:06:38.831: ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Oct 24 07:06:39.088: ISAKMP (0:3): received packet from 136.5.122.2 dport 500 sport 500 Global (I) QM_IDLE
Oct 24 07:06:39.092: ISAKMP (0:3): processing HASH payload. message ID = -609653415
Oct 24 07:06:39.092: ISAKMP (0:3): processing SA payload. message ID = -609653415
Oct 24 07:06:39.092: ISAKMP (0:3): Checking IPSec proposal 1
Oct 24 07:06:39.096: ISAKMP: transform 1, ESP_3DES
Oct 24 07:06:39.096: ISAKMP: attributes in transform:
Oct 24 07:06:39.096: ISAKMP: encaps is 1
Oct 24 07:06:39.096: ISAKMP: SA life type in seconds
Oct 24 07:06:39.096: ISAKMP: SA life duration (basic) of 3600
Oct 24 07:06:39.096: ISAKMP: SA life type in kilobytes
Oct 24 07:06:39.096: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Oct 24 07:06:39.096: ISAKMP: authenticator is HMAC-MD5
Oct 24 07:06:39.096: ISAKMP (0:3): atts are acceptable.
Oct 24 07:06:39.100: ISAKMP (0:3): processing NONCE payload. message ID = -609653415
Oct 24 07:06:39.100: ISAKMP (0:3): processing ID payload. message ID = -609653415
Oct 24 07:06:39.100: ISAKMP (0:3): processing ID payload. message ID = -609653415
Oct 24 07:06:39.104: ISAKMP (0:3): Creating IPSec SAs
Oct 24 07:06:39.104: inbound SA from 136.5.122.2 to 136.5.121.1 (f/i) 0/ 0
(proxy 150.2.2.0 to 150.1.1.0)
Oct 24 07:06:39.104: has spi 0x90C8D932 and conn_id 2000 and flags 2
Oct 24 07:06:39.104: lifetime of 3600 seconds
Oct 24 07:06:39.108: lifetime of 4608000 kilobytes
Oct 24 07:06:39.108: has client flags 0x0
Oct 24 07:06:39.108: outbound SA from 136.5.121.1 to 136.5.122.2 (f/i) 0/ 0 (proxy 150.1.1.0 to 150.2.2.0 )
Oct 24 07:06:39.108: has spi 214252587 and conn_id 2001 and flags A
Oct 24 07:06:39.108: lifetime of 3600 seconds
Oct 24 07:06:39.108: lifetime of 4608000 kilobytes
Oct 24 07:06:39.108: has client flags 0x0
Oct 24 07:06:39.108: ISAKMP (0:3): sending packet to 136.5.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 24 07:06:39.112: ISAKMP (0:3): deleting node -609653415 error FALSE reason ""
Oct 24 07:06:39.112: ISAKMP (0:3): Node -609653415, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 24 07:06:39.112: ISAKMP (0:3): Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETEping 150.2.2.2 sour l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
r1#