Module 5

Module 5: Configure Site-to-Site
VPNs Using Digital Certificates
PDF created with pdfFactory trial version www.pdffactory.com

Overview
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

Configure CA Support on a Cisco Router

• Steps to configure CA support

• Configuring Cisco IOS software certificate authority (CA) support is
complicated. Having a detailed plan lessens the chances of configuration
errors.

• Step 1 – manage the non-volatile RAM (NVRAM)

• Certificates and certificate revocation lists (CRLs) are used by the router when
a CA is used. Normally certain certificates and all CRLs are stored locally in
the NVRAM of the router, and each certificate and CRL uses a moderate
amount of memory.
• The following certificates are normally stored at the router :
– The certificate of the router
– The certificate of the CA
– Root certificates obtained from CA servers. All root certificates are saved in
RAM after the router has been initialized.
– Two RA certificates, if the CA supports an RA

• Step 1 (continue)– manage the non-volatile RAM (NVRAM)

• In some cases, storing certificates and CRLs locally will not present a
problem. However, in other cases, memory might become an issue if a
large number of certificates and CRLs end up being stored on the
router. These certificates and CRLs can consume a large amount of
NVRAM space.
• To save NVRAM space, the router can be configured so that
certificates and CRLs should not be stored locally, but should be
retrieved from the CA when needed. This will save NVRAM space but
could have a slight performance impact.
• To specify that certificates and CRLs should not be stored locally on
the router, but should be retrieved when required, turn on query mode
by using the crypto ca certificate query command in global
configuration mode.

• Step 1 (continue)– manage the non-volatile RAM (NVRAM)

• If query mode is not turned on initially, it can be turned on later even if
certificates and CRLs have already been stored on the router. In this
case, when query mode is turned on, the stored certificates and CRLs
will be deleted from the router after the configuration is saved. If the
configuration is copied to a TFTP site prior to turning on query mode,
stored certificates and CRLs will be saved at the TFTP site.
• If query mode is turned on initially, it can turned off later. If query mode
is turned off later, the copy system:running-config nvram:startup-
config command can be issued beforehand to save all current
certificates and CRLs to NVRAM. Otherwise they could be lost during a
reboot and would need to be retrieved the next time they were needed
by the router.

• Step 2 – set the router time and date

• Ensure that the time zone, time, and date has been accurately set with
the show clock commands in privileged exec mode. The clock must
be accurately set before generating RSA key pairs and enrolling with
the CA server because certificates are time-sensitive. On certificates,
there is a valid from and to date and time. When the certificate is
validated by the router, the router determines if its system clock falls
within the validity range. If it does, the certificate is valid. If not, the
certificate is deemed invalid or expired.

• Step 2 (continue)– set the router time and date

• To specify the time zone of the router, use the clock timezone global
configuration command. The command sets the time zone and an
offset from Universal Time Code (UTC) .
• The router can optionally be set to automatically update the calendar
and time from a Network Time Protocol (NTP) server with the ntp
series of commands.

• Step 3 – add a CA server
entry to the router host
table
• The host name and IP
domain name of the router
must be configured if this
has not already been done.
This is required because the
router assigns a fully
qualified domain name
(FQDN) to the keys and
certificates used by IPSec,
and the FQDN is based on
the host name and IP
domain name assigned to
the router.
• To specify or modify the
hostname for the network
server, use the hostname
global configuration
command . The setup
command facility also
prompts for a hostname at
startup.

• Step 3 (continue) – add a CA server entry to the router host table

• To define a default domain name that the Cisco IOS software uses to
complete unqualified hostnames use the ip domain-name global
configuration command. Unqualified names are names without a dotted-
decimal domain name. To disable use of the DNS, use the no form of this
command.
• Use the ip host global configuration command to define a static hostname-to-
address mapping in the host cache . To remove the name-to-address
mapping, use the no form of this command.

• Step 4 – generate an RSA key pair

• RSA key pairs are used to sign and encrypt IKE key management messages and are
required before obtaining a certificate for the router.
• Use the crypto key generate rsa global configuration command to generate RSA key
pairs .
• By default, RSA key pairs do not exist. If the usage-keys option is not used in the
command, general-purpose keys are generated. RSA keys are generated in pairs
consisting of one public RSA key and one private RSA key. If the router already has
RSA keys when this command is issued, the router warns and prompts the
administrator to replace the existing keys with new keys.

• Step 4 (continue)– generate an RSA key pair

• Special-usage Keys
If special-usage keys are generated, two pairs of RSA keys are created. One pair is
used with any IKE policy that specifies RSA signatures as the authentication method,
and the other pair is used with any IKE policy that specifies RSA encrypted nonces as
the authentication method.
• If both types of RSA authentication methods are present in the IKE policies, special-
usage keys may be the proffered option. With special-usage keys, each key is not
unnecessarily exposed. Without special-usage keys, one key is used for both
authentication methods, increasing the exposure of that key.

• Step 4 (continue)– generate an RSA key pair

• General-purpose Keys
If general-purpose keys are generated, only one pair of RSA keys is created. This pair
is used with IKE policies specifying either RSA signatures or RSA encrypted nonces.
Therefore, a general-purpose key pair might get used more frequently than a special-
usage key pair.
• When RSA keys are generated, the administrator is prompted to enter a modulus
length, as shown in Figure . A longer modulus could offer stronger security, but takes
longer to generate and also takes longer to use. A modulus below 512 is normally not
recommended. Cisco recommends using a minimum modulus of 1024.

• Step 5 – declare a CA
• Note that in 12.3(7)T, crypto pki trustpoint replaces the crypto ca trustpoint
command from previous Cisco IOS software releases. The crypto ca trustpoint
command can be entered, but the command will be written in the configuration as
crypto pki trustpoint.
• Use the crypto pki trustpoint global configuration command to declare what CA the
router will use . The crypto pki trustpoint command will allow the router to re-enroll to
the CA server automatically when its certificates expire. Use the no form of this
command to delete all identity information and certificates associated with the CA.

• Step 5 (continue)– declare a CA

• Performing the crypto pki trustpoint command puts the prompt into the ca-trustpoint
configuration mode, where characteristics for the CA can be specified with the
commands shown in Figure.

• Step 5 (continue)– declare a CA

• The example shown in Figure declares an Entrust CA and identifies
characteristics of the CA. In this example, the name vpnca is created for the
CA, which is located at http://vpnca. The example also declares a CA using
an RA. The scripts for the CA are stored in the default location, and the CA
uses SCEP instead of LDAP. This is the minimum possible configuration
required to declare a CA that uses an RA.
• The example shown in Figure declares a Microsoft Windows 2000 CA. Note
that the enrollment URL points to the MSCEP DLL.

• Step 6 – authenticate the CA

• The router needs to authenticate the CA to verify that it is valid. The router does this by
obtaining the self-signed certificate of the CA that contains the public key of the CA.
Because the CA certificate is self-signed, meaning that the CA signs its own certificate,
the public key of the CA should be manually authenticated. This is done by contacting
the CA administrator to verify the fingerprint of the CA certificate.
• To get the public key of the CA, use the crypto pki authenticatename command in
global configuration mode. Use the same name that was used when declaring the CA
with the crypto pki trustpoint command.

• Step 6 (continue)– authenticate the CA

• If RA mode is used, using the enrollment mode ra command, when the
crypto pki authenticate command is issued, the RA signing and encryption
certificates are returned from the CA as well as the CA certificate.
• The following example shows a CA authentication:
RouterA(config)# crypto pki authenticate VPNCA
Certificate has the following attributes:
Fingerprint: 93700C31 4853EC4A DED81400 43D3C82C
% Do you accept this certificate? [yes/no]: y

• Step 7 – request a certificate for the router

• A signed certificate must be obtained from the CA for each RSA key
pair on the router. If general-purpose RSA keys were generated, the
router has only one RSA key pair and needs only one certificate. If
special-usage RSA keys were generated, the router has two RSA key
pairs and needs two certificates.

• Step 7 (continue)– request a certificate for the router

• To request signed certificates from the CA, use the crypto pki enroll
name command in global configuration mode.
• During the enrollment process, a challenge password is created. This
password can be used by the CA administrator to validate the identity
of the individual that is requesting the certificate. This password is not
saved with the configuration. This password is required in the event
that the certificate needs to be revoked, so it must be remembered or
stored in a manner consistent with the security policy of the
organization.
• Technically, enrolling and obtaining certificates are two separate
events, but they both occur when the crypto pki enroll command is
issued.
• If a certificate for the keys already exists, this command cannot be
completed. Instead, the administrator is prompted to remove the
existing certificate first. Existing certificates can be removed with the
no certificate command.

• Step 8 – save the configuration

• Use the copy system:running-config nvram:startup-config command to
save the configuration. This command includes saving RSA keys to private
NVRAM. RSA keys are not saved with the configuration when a copy
system:running-config rcp: or copy system:running-config tftp:
command is issued.

• Step 9 – monitor and maintain CA interoperability

• The tasks are shown in Figure are optional, depending on the particular
requirements of the VPN implementation.

• Step 9 (continue) – monitor and maintain CA interoperability
• Request a Certificate Revocation List
A CRL can be requested only if the CA does not support an RA. The following information
applies only when the CA does not support an RA.
• When the router receives a certificate from a peer, the router will download a CRL from the
CA. The router then checks the CRL to make sure the certificate that the peer sent has not
been revoked. If the certificate appears on the CRL, the router will not accept the certificate
and will not authenticate the peer.
• With CA systems that support RAs, multiple CRLs exist and the certificate of the peer
indicates which CRL applies and should be downloaded by the router. If the router does not
have the applicable CRL and is unable to obtain one, the router rejects the certificate of the
peer, unless the crl optional command is used in the configuration. If the crl optional
command is used, the router will still try to obtain a CRL, but if it cannot obtain a CRL it can
still accept the certificate of the peer.
• A CRL can be reused with subsequent certificates until the CRL expires if query mode is off.
If the router receives a certificate from a peer after the applicable CRL has expired, the router
will download the new CRL.
• When the router receives additional certificates from peers, the router continues to attempt to
download the appropriate CRL, even if it was previously unsuccessful, and even if the crl
optional command is enabled. The crl optional command only specifies that when the
router cannot obtain the CRL, the router is not forced to reject a certificate of a peer outright.
• If the router has a CRL that has not yet expired, but it is suspected that the contents of the
CRL are out of date, it is possible to request that the latest CRL be downloaded immediately
to replace the old CRL. To request immediate download of the latest CRL, use the crypto
pki crl request name command in global configuration mode. This command replaces the
CRL currently stored on the router with the newest version of the CRL.


• Delete RSA Keys from the Router
Under certain circumstances it may be necessary to delete the RSA
keys that were generated for the router. For example, if the RSA keys
are believed to be compromised in some way and should no longer
be used, the keys should be deleted.
• To delete all RSA keys from the router, use the crypto key zeroize
rsa command in global configuration mode. After the RSA keys are
deleted, the CA administrator should be asked to revoke certificates
for the router at the CA. It will be necessary to supply the challenge
password created when the certificated were obtained with the
crypto pki enroll command. The certificates should also be manually
removed from the router configuration.


• Delete Certificates from the Configuration
• If the need arises, certificates that are saved on the router can be deleted.
The router saves its own certificates, the certificate of the CA, and any RA
certificates, unless the router is in query mode.
• To delete the certificate of the router or RA certificates from the configuration,
use the commands shown in Figure in global configuration mode.


• Delete Public Keys of Peers
Under certain circumstances it may be necessary to delete the RSA public
keys of peer devices from the router configuration. For example, if the
integrity of a peer public key is doubted, the key should be deleted. To delete
an RSA public key of a peer, use the commands shown in Figure , beginning
in global configuration mode.
• To delete the CA certificate, the entire CA trustpoint must be removed. This
also removes all certificates associated with the CA, including the certificate
belonging to the router, the CA certificate, and any RA certificates. To remove
a CA trustpoint, use the no crypto pki trustpoint name command in global
configuration mode.

• Step 10 – verify the CA support configuration

• To view keys and certificates, use the commands shown in Figures and in
EXEC mode.

• Step 10 (continue)–
verify the CA
support
configuration
• To view keys and
certificates, use the
commands shown in
Figures 1 and in
EXEC mode.
• Figure 2 displays the
running configuration
of a router properly
configured for CA
support.

Enroll a device with a CA
• The typical process for enrolling a device, such as a router or PIX Security
Appliance, with a CA is as follows :
– Step 1 Configure the device for CA support.
– Step 2 Generate a public and private key-pair on the device.
– Step 3 The device authenticates the CA server:
• Send the certificate request to the CA/RA.
• Generate a CA/RA certificate.
• Download a CA/RA certificate to the device.
• Authenticate a CA/RA certificate via the CA/RA fingerprint.

Enroll a device with a CA
• The typical process for enrolling a device, such as a router or PIX Security
Appliance, with a CA is as follows :
– Step 4 The device sends a certificate request to the CA.
– Step 5 The CA generates and signs an identity certificate.
– Step 6 The CA sends the certificates to the device and posts the
certificates in its public repository.
– Step 7 The device verifies the identify certificate and posts the certificate.
• Most of these steps have been automated by Cisco and the SCEP protocol
that is supported by many CA server vendors. Each vendor determines how
long certificates are valid.

Configure an IOS Router Site-to-Site VPN
Using Digital Certificates

Configure Site-to-Site VPNs Using Digital Certificates
• The configuration of a site-to-site VPN using digital certificates is similar to the

configuration that is done when pre-shared keys are used for authentication.
• The following tasks are used to configure a site-to-site VPN using digital
certificates:
• Task 1 Prepare for IKE and IPSec – To prepare for IPSec, determine the
following detailed encryption policy:
– Identify the hosts and networks to be protected
– Determine IPSec peer details
– Determine the IPSec features that are needed
– Ensure that the existing access lists are compatible with IPSec
• Task 2 Configure CA Support – To configure CA support, set the router
hostname and domain name, generate the keys, declare a CA, authenticate
and request network-own certificates.
• Task 3 Configure IKE for IPSec – To configure IKE, enable IKE, create the
IKE policies, and validate the configuration.
• Task 4 Configure IPSec – To configure IPSec, define the transform sets,
create crypto access lists, create crypto map entries, and apply crypto map
sets to the interfaces.
• Task 5 Test and verify IPSec – Use show, debug, and related commands to
test and verify that IPSec encryption works, and to troubleshoot problems.

• Task 1 – prepare for IKE and IPSec

• Successful implementation of an IPSec network using digital
certificates for authentication requires advance planning before
beginning configuration of individual routers.
• In task 1, define the IPSec security policy based on the overall
company security policy.

• Task 2 – configure CA support

• Task 3 – configure IKE

• Configuring IKE consists of the following steps and commands :
– Enable IKE with the crypto isakmp enable command, in case it
has been disabled from the default enable condition.
– Create IKE policies with the crypto isakmp policy command.
– Set the IKE identity to address or hostname with the crypto
isakmp identity command.
– Test and verify the IKE configuration with the show crypto isakmp
policy and show crypto isakmp sa commands.

• Task 3 (continue) – configure IKE

• The crypto isakmp policy command invokes the ISAKMP policy configuration
command mode config-isakmp, which can be used to set ISAKMP parameters.
• If one of these commands is not specified, the default value for that parameter
is used.

• Task 3 (continue) – configure IKE

• While in the config-isakmp command mode, the keywords that are
available to specify the parameters in the policy are shown in Figure.
• Multiple ISAKMP policies can be configured on each peer participating
in IPSec. ISAKMP peers negotiate acceptable ISAKMP policies before
agreeing upon the SA to be used for IPSec.

• Task 4 – configure IPSec

• The general steps and commands used to configure IPSec encryption on
Cisco routers are summarized as follows :
– Configure transform set suites with the crypto ipsec transform-set
command.
– Configure global IPSec security association lifetimes with the crypto ipsec
security-association lifetime command.
– Configure crypto access lists with the access-list command.
• The rest of the steps used to configure IPSec parameters for IKE RSA
signature keys are as follows:
– Configure crypto maps with the crypto map command.
– Apply the crypto maps to the terminating or originating interface with the
interface and the crypto map commands.

• Task 5 – test and verify IPSec

• Cisco IOS software contains a number of show, clear, and debug
commands useful for testing and verifying IPSec and ISAKMP.
• Use debug commands with caution. Enabling debugging can disrupt
operation of the router because of the large amount of output.
• Also, look at the CPU load using the show processes cpu command.

Configure a PIX Security Appliance
Site-to-Site VPN Using Digital Certificates

Scaling PIX Security Appliance VPNs
• When using the PIX Security Appliance to implement IPSec VPNs using digital
certificates, the CA server enrollment process can be largely automated so that it scales
well to large deployments.
• Each PIX that is to be configured as an IPSec peer individually enrolls with the CA
server and obtains public and private encryption keys compatible with other peers that
are enrolled with the server.
• The PIX Security Appliance supports the following CA servers:
– Cisco IOS Certificate Server
– Baltimore Technologies
– Entrust
– Microsoft Certificate Services
– Netscape CMS
– RSA Keon
– VeriSign

Enroll the PIX Security Appliance with a CA
• The enrollment steps can be summarized as follows :

– Step 1 The PIX Security Appliance generates an RSA public and private
key pair.
– Step 2 The PIX Security Appliance obtains a public key and its certificate
from the CA server.
– Step 3 The PIX Security Appliance requests a signed certificate from the
CA using the generated RSA keys and the public key certificate from the
CA server.
– Step 4 The CA administrator verifies the request and sends a signed
certificate.

• Generate an RSA Key Pair

RSA Key pairs are generated with the crypto key
generate rsa command. If additional keywords are not
used, this command generates one general purpose RSA
key pair. Because the key modulus is not specified, the
default key modulus of 1024 is used. Other modulus sizes
can be specified with the modulus keyword. Use the show
crypto key mypubkey rsa command to view the created
key pair.
• To remove RSA key pairs, use the crypto key zeroize rsa
command in global configuration mode.

• Obtain a Public Key and Certificate from the CA Server

Create a trustpoint corresponding to the CA from which the
PIX Security Appliance needs to receive its certificate with
the crypto ca trustpoint trustpoint command. Upon
entering this command, crypto ca trustpoint configuration
mode is entered. To specify SCEP enrollment, use the
enrollment url command. To specify manual enrollment,
use the enrollment terminal command. As needed,
specify other characteristics for the trustpoint. More
information about these command can be found in the
Command Reference.
• After configuring the trustpoint, Obtain the CA certificate for
the trustpoint with the crypto ca authenticate command.
The public key of the CA is included with this certificate.

• Request a Signed Certificate from the CA

Enroll the PIX Security Appliance with the trustpoint using
the the crypto ca enroll command. Before entering this
command, contact the CA administrator because the
administrator may need to authenticate the enrollment
request manually before the CA grants its certificates.

• Verify that the CA Administrator Has Sent a Signed

Certificate
After the enrollment is complete, verify that the enrollment
process was successful using the show crypto ca
certificate command. The output of this command shows
the details of the certificate issued for the PIX Security
Appliance and the CA certificate for the trustpoint. Be sure
to save the configuration using the write memory
command after the certificate ahs been received.

Summary
• Upon completing this module, the student will be able to

configure Certificate Authority (CA) support on Cisco
routers.
• The student will also be able to configure the Cisco IOS
router and the PIX Security Appliance for a site-to-site VPN
using digital certificates for authentication.

Module 5

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 5

Uploaded by

Copyright:

Available Formats

Module 5: Configure Site-to-Site

VPNs Using Digital Certificates

PDF created with pdfFactory trial version www.pdffactory.com

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

• Steps to configure CA support

PDF created with pdfFactory trial version www.pdffactory.com

• Step 1 – manage the non-volatile RAM (NVRAM)

PDF created with pdfFactory trial version www.pdffactory.com

• Step 1 (continue)– manage the non-volatile RAM (NVRAM)

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

• Step 1 (continue)– manage the non-volatile RAM (NVRAM)

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

• Step 2 – set the router time and date

PDF created with pdfFactory trial version www.pdffactory.com

• Step 2 (continue)– set the router time and date

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• Step 3 (continue) – add a CA server entry to the router host table

PDF created with pdfFactory trial version www.pdffactory.com

• Step 4 – generate an RSA key pair

PDF created with pdfFactory trial version www.pdffactory.com

• Step 4 (continue)– generate an RSA key pair

PDF created with pdfFactory trial version www.pdffactory.com

• Step 4 (continue)– generate an RSA key pair

PDF created with pdfFactory trial version www.pdffactory.com

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

• Step 5 (continue)– declare a CA

PDF created with pdfFactory trial version www.pdffactory.com

• Step 5 (continue)– declare a CA

PDF created with pdfFactory trial version www.pdffactory.com

• Step 6 – authenticate the CA

PDF created with pdfFactory trial version www.pdffactory.com

• Step 6 (continue)– authenticate the CA

PDF created with pdfFactory trial version www.pdffactory.com

• Step 7 – request a certificate for the router

PDF created with pdfFactory trial version www.pdffactory.com

• Step 7 (continue)– request a certificate for the router

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

• Step 8 – save the configuration

PDF created with pdfFactory trial version www.pdffactory.com

• Step 9 – monitor and maintain CA interoperability

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

• Step 9 (continue) – monitor and maintain CA interoperability

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

• Step 9 (continue) – monitor and maintain CA interoperability

PDF created with pdfFactory trial version www.pdffactory.com

• Step 9 (continue) – monitor and maintain CA interoperability

PDF created with pdfFactory trial version www.pdffactory.com

• Step 10 – verify the CA support configuration

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com

PDF created with pdfFactory trial version www.pdffactory.com

Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com